Jump to content

Please Help " Malwarebytes' Anti-Malware keep pop up"


Recommended Posts

Hello,

I really need help, my laptop keep pop up " Malwarebytes' Anti-Malware. Successfully blocked access to a potentially malicious website: 94.228.209.200; 91.212.226.67; 85.12.46.156; 85.12.46.156 ...etc ...." I tried to perform full scan by used Malwarebytes and McAfee but I didn't see anythings.,I knew my laptop infected virut or somthings . Please help me how can I stop it.

Thanks,

Link to post
Share on other sites

Hello ,

And :) My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.

Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Please download OTL from one of the following mirrors:

    [*]Save it to your desktop.

    [*]Double click on the otlDesktopIcon.png icon on your desktop.

    [*]Click the "Scan All Users" checkbox.

    [*]Push the runscanbutton.png button.

    [*]Two reports will open, copy and paste them in a reply here:

    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Link to post
Share on other sites

Hi Elise,

Thanks for your help!

OTL logfile created on: 8/9/2010 7:05:21 AM - Run 1

OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\sjchopha\Desktop

Windows XP Tablet PC Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 59.00% Memory free

4.00 Gb Paging File | 3.00 Gb Available in Paging File | 80.00% Paging File free

Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 298.09 Gb Total Space | 228.27 Gb Free Space | 76.58% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: MLGM6HPHAME295

Current User Name: sjchopha

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Company Name Whitelist: Off

Skip Microsoft Files: Off

File Age = 30 Days

Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/08/09 07:03:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sjchopha\Desktop\OTL.exe

PRC - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

PRC - [2010/05/10 11:04:16 | 000,465,536 | ---- | M] (ASUSTek Computer Inc.) -- C:\Program Files\ASUS\ASUS Ai Charger\AiChargerAP.exe

PRC - [2010/03/29 15:24:54 | 000,303,952 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

PRC - [2010/03/29 15:24:52 | 000,437,584 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

PRC - [2009/10/22 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe

PRC - [2009/10/22 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe

PRC - [2009/10/22 20:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe

PRC - [2009/10/22 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe

PRC - [2009/10/15 20:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe

PRC - [2009/10/12 18:36:08 | 000,077,824 | ---- | M] (Flextronics Int) -- C:\Program Files\Flextronics Int\FlexInvSVC\FlexInvService.exe

PRC - [2009/09/25 04:50:00 | 000,185,664 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe

PRC - [2009/09/25 04:50:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe

PRC - [2009/09/25 04:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe

PRC - [2009/09/25 04:50:00 | 000,075,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe

PRC - [2008/12/26 14:22:42 | 000,148,712 | ---- | M] (Apricorn) -- C:\Program Files\Common Files\Apricorn\Schedule2\schedhlp.exe

PRC - [2008/12/26 14:22:34 | 000,410,856 | ---- | M] (Apricorn) -- C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe

PRC - [2008/12/26 14:18:00 | 001,169,264 | ---- | M] (Apricorn) -- C:\Program Files\Apricorn\EZ Gig II\EZGigMonitor.exe

PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

PRC - [2008/10/25 08:18:50 | 000,098,696 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE

PRC - [2008/10/20 11:08:32 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

PRC - [2008/09/30 17:04:26 | 000,905,512 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2tray.exe

PRC - [2008/09/30 17:04:26 | 000,258,856 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe

PRC - [2008/09/30 17:04:22 | 000,251,176 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2pre.exe

PRC - [2008/09/30 17:04:12 | 000,592,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMyPC\g2comm.exe

PRC - [2008/09/24 14:32:48 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

PRC - [2008/05/23 16:54:38 | 000,118,784 | ---- | M] (Bytemobile, Inc.) -- C:\WINDOWS\system32\bmwebcfg.exe

PRC - [2008/04/14 05:42:42 | 000,293,888 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wisptis.exe

PRC - [2008/04/14 05:42:38 | 000,043,520 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tcserver.exe

PRC - [2008/04/14 05:42:24 | 000,029,696 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\keyboardsurrogate.exe

PRC - [2008/04/14 05:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

PRC - [2008/02/21 14:00:00 | 000,188,928 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIEQA.EXE

PRC - [2007/11/01 14:00:50 | 000,794,624 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

PRC - [2007/11/01 13:40:04 | 001,183,744 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

PRC - [2007/11/01 13:35:40 | 000,483,328 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

PRC - [2006/10/05 17:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\WINDOWS\system32\agrsmsvc.exe

PRC - [2005/11/04 10:21:28 | 001,516,584 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Flextronics VPN Client\cvpnd.exe

PRC - [2002/08/29 11:41:28 | 000,035,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\tabbtnu.exe

========== Modules (SafeList) ==========

MOD - [2010/08/09 07:03:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sjchopha\Desktop\OTL.exe

MOD - [2008/04/14 05:42:08 | 000,250,368 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\sptip.dll

MOD - [2008/04/14 05:42:08 | 000,210,944 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tiptsf.dll

MOD - [2008/04/14 05:42:08 | 000,038,912 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Ink\tipcomponentsps.dll

MOD - [2008/04/14 05:42:00 | 000,068,608 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msctfp.dll

MOD - [2008/04/14 05:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

MOD - [2008/04/13 23:09:26 | 002,897,920 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\xpsp2res.dll

MOD - [2008/04/13 22:13:20 | 000,062,976 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ime\spgrmr.dll

MOD - [2002/08/29 11:41:08 | 000,023,552 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Journal\nbmaptip.dll

========== Win32 Services (SafeList) ==========

SRV - [2010/06/10 21:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)

SRV - [2010/03/29 15:24:54 | 000,303,952 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)

SRV - [2009/11/12 07:34:18 | 000,654,848 | ---- | M] (Macrovision Europe Ltd.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)

SRV - [2009/10/22 20:07:00 | 000,146,448 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe -- (McShield)

SRV - [2009/10/22 20:07:00 | 000,070,728 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)

SRV - [2009/10/22 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\engineserver.exe -- (McAfeeEngineService)

SRV - [2009/10/15 20:07:00 | 000,066,880 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe -- (McTaskManager)

SRV - [2009/10/12 18:36:08 | 000,077,824 | ---- | M] (Flextronics Int) [Auto | Running] -- C:\Program Files\Flextronics Int\FlexInvSVC\FlexInvService.exe -- (FlexInvSvc)

SRV - [2009/09/25 04:50:00 | 000,120,128 | ---- | M] (McAfee, Inc.) [unknown | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)

SRV - [2008/12/26 14:22:34 | 000,410,856 | ---- | M] (Apricorn) [Auto | Running] -- C:\Program Files\Common Files\Apricorn\Schedule2\schedul2.exe -- (AcrSch2Svc)

SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)

SRV - [2008/10/20 11:08:32 | 000,172,032 | ---- | M] (New Boundary Technologies, Inc.) [Auto | Running] -- C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS -- (PrismXL)

SRV - [2008/09/30 17:04:26 | 000,258,856 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Running] -- C:\Program Files\Citrix\GoToMyPC\g2svc.exe -- (GoToMyPC)

SRV - [2008/09/24 14:32:48 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)

SRV - [2008/05/23 17:01:54 | 000,106,496 | ---- | M] (PCTEL) [On_Demand | Stopped] -- C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe -- (ATTRcAppSvc)

SRV - [2008/05/23 16:54:38 | 000,118,784 | ---- | M] (Bytemobile, Inc.) [Auto | Running] -- C:\WINDOWS\System32\bmwebcfg.exe -- (bmwebcfg)

SRV - [2007/11/01 14:00:50 | 000,794,624 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng) Intel®

SRV - [2007/11/01 13:40:04 | 001,183,744 | ---- | M] (Intel Corporation ) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor) Intel®

SRV - [2007/11/01 13:35:40 | 000,483,328 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc) Intel®

SRV - [2007/01/19 12:54:14 | 000,097,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc)

SRV - [2006/10/05 17:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\WINDOWS\system32\agrsmsvc.exe -- (AgereModemAudio)

SRV - [2005/11/04 10:21:28 | 001,516,584 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Flextronics VPN Client\cvpnd.exe -- (CVPND)

SRV - [2004/08/04 13:00:00 | 000,019,456 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\system32\tcpsvcs.exe -- (LPDSVC)

========== Driver Services (SafeList) ==========

DRV - [2010/05/05 16:38:14 | 000,013,224 | ---- | M] (ASUSTek Computer Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\AiCharger.sys -- (AiCharger)

DRV - [2010/04/11 20:16:13 | 000,038,120 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)

DRV - [2010/04/11 20:16:12 | 000,397,640 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)

DRV - [2010/04/11 20:16:06 | 000,119,400 | ---- | M] (Apricorn) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\snapman.sys -- (snapman)

DRV - [2010/03/29 15:24:46 | 000,020,824 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)

DRV - [2009/10/22 20:07:00 | 000,343,664 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)

DRV - [2009/10/22 20:07:00 | 000,091,672 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)

DRV - [2009/10/22 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)

DRV - [2009/10/22 20:07:00 | 000,065,448 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)

DRV - [2009/10/22 20:07:00 | 000,063,728 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)

DRV - [2009/10/22 20:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)

DRV - [2009/09/03 10:52:44 | 000,046,720 | ---- | M] (ASIX Electronics Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ax88772.sys -- (AX88772)

DRV - [2008/07/04 06:33:34 | 003,230,720 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)

DRV - [2008/05/23 16:54:38 | 000,018,816 | ---- | M] (Bytemobile, Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\tcpipBM.sys -- (tcpipBM)

DRV - [2008/05/23 16:52:54 | 000,032,160 | ---- | M] (PCTEL Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\PCTINDIS5.sys -- (PCTINDIS5)

DRV - [2008/05/23 16:52:54 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)

DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)

DRV - [2008/04/14 00:06:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)

DRV - [2008/04/14 00:06:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)

DRV - [2008/04/13 22:06:06 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)

DRV - [2008/01/10 16:59:44 | 000,142,976 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swumx80.sys -- (SWUMX80) Sierra Wireless USB MUX Driver (UMTS80)

DRV - [2008/01/10 16:58:48 | 000,165,248 | ---- | M] (Sierra Wireless Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\swnc8u80.sys -- (SWNC8U80) Sierra Wireless MUX NDIS Driver (UMTS80)

DRV - [2008/01/03 16:21:32 | 000,026,504 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\swmsflt.sys -- (swmsflt)

DRV - [2007/10/31 10:23:20 | 002,236,544 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel®

DRV - [2007/08/27 11:10:36 | 000,012,288 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)

DRV - [2007/04/09 09:33:56 | 000,251,288 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express) Intel®

DRV - [2007/03/30 11:34:14 | 005,704,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\igxpmp32.sys -- (ialm)

DRV - [2007/03/09 08:40:02 | 000,010,496 | ---- | M] (Quanta Computer Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mstabbtn.sys -- (MSTabBtn)

DRV - [2007/02/12 12:36:54 | 000,277,784 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS -- (iaStor)

DRV - [2007/02/03 11:32:36 | 000,041,504 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)

DRV - [2007/02/03 11:25:56 | 001,075,360 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Camdrl.sys -- (CamDrL) Logitech QuickCam Pro 3000(CamDrl)

DRV - [2007/01/05 13:45:42 | 000,201,760 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)

DRV - [2006/11/28 20:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)

DRV - [2006/08/22 07:39:14 | 001,177,864 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)

DRV - [2006/07/06 23:44:00 | 000,168,448 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)

DRV - [2005/11/04 10:20:40 | 000,303,735 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)

DRV - [2005/06/29 19:50:30 | 000,110,080 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)

DRV - [2005/05/17 04:51:34 | 000,005,315 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)

DRV - [2005/01/26 06:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)

DRV - [2001/08/17 22:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)

DRV - [2001/08/17 22:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)

DRV - [2001/08/17 22:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)

DRV - [2001/08/17 22:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)

DRV - [2001/08/17 22:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)

DRV - [2001/08/17 21:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)

DRV - [2001/08/17 21:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)

DRV - [2001/08/17 21:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)

DRV - [2001/08/17 21:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)

DRV - [2001/08/17 21:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)

DRV - [2001/08/17 21:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)

DRV - [2001/08/17 21:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)

DRV - [2001/08/17 21:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)

DRV - [2001/08/17 21:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)

DRV - [2001/08/17 21:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...B&M=Gateway Viper-SR

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...B&M=Gateway Viper-SR

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...B&M=Gateway Viper-SR

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_page_URL = http://www.gateway.com/g/startpage.html?Ch...B&M=Gateway Viper-SR

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...B&M=Gateway Viper-SR

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-21-1880522794-4082022139-704450331-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://intranet.flextronics.com/corporate/default.aspx

IE - HKU\S-1-5-21-1880522794-4082022139-704450331-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1880522794-4082022139-704450331-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://intranet.flextronics.com/corporate/default.aspx

IE - HKU\S-1-5-21-1880522794-4082022139-704450331-500\..\URLSearchHook: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files\Search Toolbar\tbhelper.dll ()

IE - HKU\S-1-5-21-1880522794-4082022139-704450331-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-329068152-789336058-725345543-99290\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKU\S-1-5-21-329068152-789336058-725345543-99290\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com

IE - HKU\S-1-5-21-329068152-789336058-725345543-99290\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Restore = http://intranet.flextronics.com/corporate/default.aspx

IE - HKU\S-1-5-21-329068152-789336058-725345543-99290\..\URLSearchHook: {CA3EB689-8F09-4026-AA10-B9534C691CE0} - C:\Program Files\Search Toolbar\tbhelper.dll ()

IE - HKU\S-1-5-21-329068152-789336058-725345543-99290\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-329068152-789336058-725345543-99290\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Bing"

FF - prefs.js..browser.startup.homepage: "http://bing.zugo.com/?cfg=2-80-0-NQI9"

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7

FF - prefs.js..extensions.enabledItems: {896642E4-C556-4ED3-85D1-9AC431603E7D}:1.0.4

FF - prefs.js..extensions.enabledItems: {ce7291a3-19c1-bebe-bc29-dc440a781d4b}:4.6.6.6

FF - prefs.js..keyword.URL: "http://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q="

FF - prefs.js..network.proxy.http: "127.0.0.1"

FF - prefs.js..network.proxy.http_port: 5555

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/21 03:20:47 | 000,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/08/02 12:04:49 | 000,000,000 | ---D | M]

[2010/01/26 01:14:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sjchopha\Application Data\Mozilla\Extensions

[2010/07/23 15:35:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\sjchopha\Application Data\Mozilla\Firefox\Profiles\n27v90nh.default\extensions

[2010/01/26 19:58:45 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\sjchopha\Application Data\Mozilla\Firefox\Profiles\n27v90nh.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

[2010/04/10 09:10:07 | 000,000,000 | ---D | M] (Search Toolbar) -- C:\Documents and Settings\sjchopha\Application Data\Mozilla\Firefox\Profiles\n27v90nh.default\extensions\{896642E4-C556-4ED3-85D1-9AC431603E7D}

[2010/07/23 15:35:25 | 000,001,836 | ---- | M] () -- C:\Documents and Settings\sjchopha\Application Data\Mozilla\Firefox\Profiles\n27v90nh.default\searchplugins\bing-ff.xml

[2010/07/27 17:21:42 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

[2010/04/10 09:10:20 | 000,000,000 | ---D | M] (LoudMo Contextual Ad Assistant) -- C:\Program Files\Mozilla Firefox\extensions\{ce7291a3-19c1-bebe-bc29-dc440a781d4b}

[2009/10/22 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll

[2009/09/21 12:24:16 | 000,001,329 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\crawlersrch.xml

O1 HOSTS File: ([2010/08/06 16:47:29 | 000,000,758 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 127.0.0.1 gs.apple.com

O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)

O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\WINDOWS\system32\BAE.dll (Gateway Inc.)

O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)

O2 - BHO: (TBSB05974 Class) - {FCBCCB87-9224-4B8D-B117-F56D924BEB18} - C:\Program Files\Search Toolbar\tbcore3.dll ()

O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\YTSingleInstance.dll (Yahoo! Inc)

O3 - HKLM\..\Toolbar: (Search Toolbar) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files\Search Toolbar\tbcore3.dll ()

O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll (Microsoft Corp.)

O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.

O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-1880522794-4082022139-704450331-500\..\Toolbar\WebBrowser: (Search Toolbar) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files\Search Toolbar\tbcore3.dll ()

O3 - HKU\S-1-5-21-1880522794-4082022139-704450331-500\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-329068152-789336058-725345543-99290\..\Toolbar\WebBrowser: (Search Toolbar) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - C:\Program Files\Search Toolbar\tbcore3.dll ()

O3 - HKU\S-1-5-21-329068152-789336058-725345543-99290\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O3 - HKU\S-1-5-21-329068152-789336058-725345543-99290\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (Yahoo! Inc.)

O4 - HKLM..\Run: [] File not found

O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Apricorn\EZ Gig II\TimounterMonitor.exe (Apricorn)

O4 - HKLM..\Run: [Apricorn Scheduler Service] C:\Program Files\Common Files\Apricorn\Schedule2\schedhlp.exe (Apricorn)

O4 - HKLM..\Run: [ASUS Ai Charger] C:\Program Files\ASUS\ASUS Ai Charger\AiChargerAP.exe (ASUSTek Computer Inc.)

O4 - HKLM..\Run: [AT&T Communication Manager] C:\Program Files\AT&T\Communication Manager\ATTCM.exe (ATT)

O4 - HKLM..\Run: [EZGigMonitor.exe] C:\Program Files\Apricorn\EZ Gig II\EZGigMonitor.exe (Apricorn)

O4 - HKLM..\Run: [GoToMyPC] C:\Program Files\Citrix\GoToMyPC\g2svc.exe (Citrix Online, a division of Citrix Systems, Inc.)

O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)

O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)

O4 - HKLM..\Run: [shStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)

O4 - HKU\S-1-5-19..\Run: [TabletWizard] C:\WINDOWS\help\wizard.hta File not found

O4 - HKU\S-1-5-20..\Run: [TabletWizard] C:\WINDOWS\help\wizard.hta File not found

O4 - HKU\S-1-5-21-1880522794-4082022139-704450331-500..\Run: [Power2GoExpress] File not found

O4 - HKU\S-1-5-21-329068152-789336058-725345543-99290..\Run: [EPSON WorkForce 500 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEQA.EXE (SEIKO EPSON CORPORATION)

O4 - HKU\S-1-5-21-329068152-789336058-725345543-99290..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)

O4 - Startup: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Add_These_Administrative_Groups.txt ()

O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Flextronics VPN Client.lnk = C:\Program Files\Flextronics VPN Client\vpngui.exe (Cisco Systems, Inc.)

O4 - Startup: C:\Documents and Settings\Desktop\Start Menu\Programs\Startup\Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe (EMC)

O4 - Startup: C:\Documents and Settings\sjchopha\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (Microsoft Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Main present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1880522794-4082022139-704450331-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-1880522794-4082022139-704450331-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-329068152-789336058-725345543-99290\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-329068152-789336058-725345543-99290\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1

O7 - HKU\S-1-5-21-329068152-789336058-725345543-99290\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 1

O7 - HKU\S-1-5-21-329068152-789336058-725345543-99290\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0

O8 - Extra context menu item: Append to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)

O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)

O9 - Extra Button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe (Bodog)

O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - File not found

O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - File not found

O15 - HKU\.DEFAULT\..Trusted Domains: flextronics.com ([]http in Local intranet)

O15 - HKU\.DEFAULT\..Trusted Domains: flextronics.com ([]https in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: flextronics.com ([]http in Local intranet)

O15 - HKU\S-1-5-18\..Trusted Domains: flextronics.com ([]https in Local intranet)

O15 - HKU\S-1-5-21-329068152-789336058-725345543-99290\..Trusted Domains: flextronics.com ([]http in Local intranet)

O15 - HKU\S-1-5-21-329068152-789336058-725345543-99290\..Trusted Domains: flextronics.com ([]https in Local intranet)

O16 - DPF: {254AA86E-5655-4518-AA87-185D7CC41801} https://secure.logmeinrescue.com/US/TechCon...scueControl.cab (LogMeIn Rescue Technician Console)

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onecare.live.com/resource/...lscbase6770.cab (Windows Live Safety Center Base Module)

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/...b?1252685346265 (WUWebControl Class)

O16 - DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} https://eroom1.flextronics.com/eRoomSetup/client.cab (ERPageAddin Class)

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1257312297906 (MUWebControl Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} http://support.gateway.com/support/serialharvest/gwCID.CAB (compid Class)

O16 - DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)

O16 - DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_17)

O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 4.2.2.2 4.2.2.1 68.87.66.234

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = americas.ad.flextronics.com

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)

O20 - AppInit_DLLs: (rumepamo.dll) - File not found

O20 - AppInit_DLLs: (yizodonu.dll) - File not found

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)

O20 - Winlogon\Notify\GoToMyPC: DllName - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll - C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll (Citrix Online, a division of Citrix Systems, Inc.)

O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)

O20 - Winlogon\Notify\loginkey: DllName - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll - C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll (Microsoft Corporation)

O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found

O20 - Winlogon\Notify\TabBtnWL: DllName - TabBtnWL.dll - C:\WINDOWS\System32\tabbtnwl.dll (Microsoft Corporation)

O20 - Winlogon\Notify\tpgwlnotify: DllName - tpgwlnot.dll - C:\WINDOWS\System32\tpgwlnot.dll (Microsoft Corporation)

O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Gateway.bmp

O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Apricorn)

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2006/06/22 22:19:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]

O33 - MountPoints2\{2f10f371-36f1-11df-bc39-001f3c66ebdc}\Shell - "" = AutoRun

O33 - MountPoints2\{2f10f371-36f1-11df-bc39-001f3c66ebdc}\Shell\AutoRun - "" = Auto&Play

O33 - MountPoints2\{6c4c8ebf-9ee9-11de-a153-806d6172696f}\Shell - "" = AutoRun

O33 - MountPoints2\{6c4c8ebf-9ee9-11de-a153-806d6172696f}\Shell\AutoRun - "" = Auto&Play

O34 - HKLM BootExecute: (autocheck autochk *) - File not found

O35 - HKLM\..comfile [open] -- "%1" %*

O35 - HKLM\..exefile [open] -- "%1" %*

O37 - HKLM\...com [@ = comfile] -- "%1" %*

O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/08/09 07:03:12 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\sjchopha\Desktop\OTL.exe

[2010/08/08 19:59:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\EPSON

[2010/08/08 19:58:58 | 000,086,528 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\System32\E_FLBEQA.DLL

[2010/08/08 19:58:58 | 000,078,848 | ---- | C] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\System32\E_FD4BEQA.DLL

[2010/08/08 19:56:46 | 000,071,680 | ---- | C] (SEIKO EPSON CORP.) -- C:\WINDOWS\System32\escwiad.dll

[2010/08/08 13:41:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood

[2010/08/04 14:48:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sjchopha\.shsh

[2010/08/02 12:05:19 | 000,000,000 | ---D | C] -- C:\Program Files\iPod

[2010/08/02 12:05:13 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes

[2010/08/02 12:03:26 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update

[2010/08/02 12:01:37 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour

[2010/08/02 11:56:54 | 096,971,560 | ---- | C] (Apple Inc.) -- C:\Documents and Settings\sjchopha\My Documents\iTunesSetup.exe

[2010/08/02 03:13:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe

[2010/08/02 03:13:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun

[2010/07/29 22:05:08 | 084,253,480 | ---- | C] (Microsoft Corporation) -- C:\Documents and Settings\sjchopha\My Documents\TRPSetup.exe

[2010/07/28 13:34:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sjchopha\My Documents\Download_Windows_AIO

[2010/07/28 13:34:04 | 000,013,224 | ---- | C] (ASUSTek Computer Inc.) -- C:\WINDOWS\System32\drivers\AiCharger.sys

[2010/07/28 13:34:04 | 000,000,000 | ---D | C] -- C:\Program Files\ASUS

[2010/07/28 13:33:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sjchopha\My Documents\AiCharger_V10006_XpVistaWin7

[2010/07/27 17:33:40 | 000,000,000 | ---D | C] -- C:\Program Files\Citrix

[2010/07/27 17:33:40 | 000,000,000 | ---D | C] -- C:\WINDOWS\CD95F661A5C444F5A6AAECDD91C240B5.TMP

[2010/07/27 17:33:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sjchopha\My Documents\App Patch For 3.0 3.13

[2010/07/27 17:33:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sjchopha\My Documents\3GS-3.13

[2010/07/27 17:33:18 | 000,000,000 | ---D | C] -- C:\Program Files\Readon Technology

[2010/07/27 17:32:13 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Research in Motion

[2010/07/27 17:32:13 | 000,000,000 | ---D | C] -- C:\Program Files\AT&T

[2010/07/27 17:32:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AT&T

[2010/07/27 17:12:43 | 000,000,000 | -HSD | C] -- C:\RECYCLER

[2010/07/27 17:12:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sjchopha\Desktop\New folder

[2010/07/27 13:33:20 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT

[2010/07/27 13:33:18 | 000,000,000 | ---D | C] -- C:\ComboFix

[2010/07/27 13:32:26 | 000,000,000 | ---D | C] -- C:\Qoobox

[2010/07/27 02:10:15 | 000,000,000 | ---D | C] -- C:\RECYCLER(2)

[2010/07/25 19:12:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\sjchopha\Local Settings\Application Data\FixItCenter

[2010/07/25 19:08:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\MATS

[2010/07/25 19:08:58 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Fix it Center

[2010/07/25 18:55:34 | 000,000,000 | ---D | C] -- C:\cabs

[2010/07/25 18:48:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Driver Whiz

[2010/07/25 18:47:15 | 000,000,000 | ---D | C] -- C:\Program Files\Driver Whiz

[2010/07/25 17:52:37 | 000,000,000 | ---D | C] -- C:\Program Files\Citrix(3)

[2010/07/25 17:51:49 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes(4)

[2010/07/25 17:51:49 | 000,000,000 | ---D | C] -- C:\Program Files\iPod(4)

[2010/07/22 12:11:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

[2010/07/22 07:59:48 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Live Safety Center

[2010/07/21 09:55:56 | 000,000,000 | ---D | C] -- C:\Simple I Tool

[2010/07/21 03:22:19 | 000,000,000 | ---D | C] -- C:\Program Files\iPod(3)

[2010/07/21 03:18:55 | 000,000,000 | ---D | C] -- C:\Program Files\Apple Software Update(3)

[2010/07/21 03:17:06 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour(3)

[2010/07/21 02:45:48 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes(3)

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/08/09 07:13:00 | 000,000,492 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Update Check (YOUR-5E2704140D-Administrator).job

[2010/08/09 07:13:00 | 000,000,478 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Update Check (NT AUTHORITY-SYSTEM).job

[2010/08/09 07:11:00 | 000,000,580 | -H-- | M] () -- C:\WINDOWS\tasks\DataUpload.job

[2010/08/09 07:09:00 | 000,000,428 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{83548D6D-EBE1-4918-9707-FF226A33C210}.job

[2010/08/09 07:03:12 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\sjchopha\Desktop\OTL.exe

[2010/08/09 06:51:00 | 000,000,890 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

[2010/08/08 19:59:11 | 004,718,592 | ---- | M] () -- C:\Documents and Settings\sjchopha\ntuser.dat

[2010/08/08 19:50:32 | 000,030,208 | ---- | M] () -- C:\Documents and Settings\sjchopha\Desktop\SOLUTION.doc

[2010/08/08 19:11:00 | 000,000,616 | -H-- | M] () -- C:\WINDOWS\tasks\ConfigExec.job

[2010/08/08 12:32:51 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm

[2010/08/08 12:32:51 | 000,000,232 | -H-- | M] () -- C:\sqmdata01.sqm

[2010/08/07 00:06:11 | 000,031,232 | ---- | M] () -- C:\Documents and Settings\sjchopha\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2010/08/06 23:09:27 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/08/06 16:47:29 | 000,000,758 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts

[2010/08/06 16:47:29 | 000,000,734 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.umbrella

[2010/08/06 15:47:05 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job

[2010/08/06 15:46:05 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT

[2010/08/06 15:45:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat

[2010/08/06 15:45:44 | 2145,832,960 | -HS- | M] () -- C:\hiberfil.sys

[2010/08/06 11:38:08 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\sjchopha\ntuser.ini

[2010/08/06 11:38:01 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm

[2010/08/06 11:38:01 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm

[2010/08/06 04:16:28 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm

[2010/08/06 04:16:28 | 000,000,232 | -H-- | M] () -- C:\sqmdata19.sqm

[2010/08/06 03:27:30 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm

[2010/08/06 03:27:30 | 000,000,232 | -H-- | M] () -- C:\sqmdata18.sqm

[2010/08/06 03:18:58 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm

[2010/08/06 03:18:58 | 000,000,232 | -H-- | M] () -- C:\sqmdata17.sqm

[2010/08/05 10:36:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm

[2010/08/05 10:36:13 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm

[2010/08/05 09:52:53 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm

[2010/08/05 09:52:53 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm

[2010/08/04 16:40:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm

[2010/08/04 16:40:45 | 000,000,232 | -H-- | M] () -- C:\sqmdata14.sqm

[2010/08/04 15:55:57 | 003,775,164 | -H-- | M] () -- C:\Documents and Settings\sjchopha\Local Settings\Application Data\IconCache.db

[2010/08/04 15:55:56 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm

[2010/08/04 15:55:56 | 000,000,232 | -H-- | M] () -- C:\sqmdata13.sqm

[2010/08/04 15:50:26 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm

[2010/08/04 15:50:26 | 000,000,232 | -H-- | M] () -- C:\sqmdata12.sqm

[2010/08/04 15:20:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm

[2010/08/04 15:20:49 | 000,000,232 | -H-- | M] () -- C:\sqmdata11.sqm

[2010/08/04 14:47:06 | 000,000,578 | ---- | M] () -- C:\Documents and Settings\sjchopha\Desktop\iTool v1.0.lnk

[2010/08/03 21:40:18 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm

[2010/08/03 21:40:18 | 000,000,232 | -H-- | M] () -- C:\sqmdata10.sqm

[2010/08/03 11:28:23 | 000,071,688 | ---- | M] () -- C:\Documents and Settings\sjchopha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

[2010/08/03 08:56:28 | 000,000,232 | -H-- | M] () -- C:\sqmdata09.sqm

[2010/08/03 08:56:27 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm

[2010/08/03 08:53:43 | 000,277,352 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT

[2010/08/03 08:51:59 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm

[2010/08/03 08:51:59 | 000,000,232 | -H-- | M] () -- C:\sqmdata08.sqm

[2010/08/03 08:41:54 | 000,000,232 | -H-- | M] () -- C:\sqmdata07.sqm

[2010/08/03 08:41:53 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm

[2010/08/02 18:26:06 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm

[2010/08/02 18:26:06 | 000,000,232 | -H-- | M] () -- C:\sqmdata06.sqm

[2010/08/02 12:11:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm

[2010/08/02 12:11:36 | 000,000,232 | -H-- | M] () -- C:\sqmdata05.sqm

[2010/08/02 12:06:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm

[2010/08/02 12:06:54 | 000,000,232 | -H-- | M] () -- C:\sqmdata04.sqm

[2010/08/02 12:04:39 | 000,001,615 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk

[2010/08/02 12:03:31 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/08/02 11:56:54 | 096,971,560 | ---- | M] (Apple Inc.) -- C:\Documents and Settings\sjchopha\My Documents\iTunesSetup.exe

[2010/08/02 10:41:57 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm

[2010/08/02 10:41:57 | 000,000,232 | -H-- | M] () -- C:\sqmdata03.sqm

[2010/08/02 03:13:06 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

[2010/08/01 19:36:29 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm

[2010/08/01 19:36:29 | 000,000,232 | -H-- | M] () -- C:\sqmdata02.sqm

[2010/07/31 09:57:18 | 000,000,153 | ---- | M] () -- C:\Documents and Settings\sjchopha\Application Data\default.rss

[2010/07/31 09:55:40 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini

[2010/07/30 11:16:09 | 003,126,355 | ---- | M] () -- C:\Documents and Settings\sjchopha\My Documents\vsl30.zip

[2010/07/29 22:05:08 | 084,253,480 | ---- | M] (Microsoft Corporation) -- C:\Documents and Settings\sjchopha\My Documents\TRPSetup.exe

[2010/07/28 13:32:08 | 001,364,522 | ---- | M] () -- C:\Documents and Settings\sjchopha\My Documents\wrar393.exe

[2010/07/28 13:29:34 | 001,656,601 | ---- | M] () -- C:\Documents and Settings\sjchopha\My Documents\AiCharger_V10006_XpVistaWin7.zip

[2010/07/27 22:02:55 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl

[2010/07/27 13:13:52 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\sjchopha\defogger_reenable

[2010/07/27 13:09:12 | 002,168,258 | ---- | M] () -- C:\Documents and Settings\sjchopha\My Documents\Download_Windows_AIO.rar

[2010/07/26 22:55:22 | 000,046,080 | ---- | M] () -- C:\Documents and Settings\sjchopha\Desktop\New Microsoft Word Document.doc

[2010/07/25 19:40:42 | 000,001,908 | ---- | M] () -- C:\WINDOWS\diagwrn.xml

[2010/07/25 19:40:42 | 000,001,908 | ---- | M] () -- C:\WINDOWS\diagerr.xml

[2010/07/25 19:40:08 | 000,001,996 | ---- | M] () -- C:\Documents and Settings\sjchopha\Desktop\Windows Compatibility Report.htm

[2010/07/23 15:33:48 | 000,030,505 | ---- | M] () -- C:\Documents and Settings\sjchopha\My Documents\Malwarebytes_invoice.pdf

[2010/07/21 12:14:30 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_netaapl_01005.Wdf

[2010/07/21 12:14:27 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

[2010/07/21 12:14:26 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK

[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/08/08 19:50:31 | 000,030,208 | ---- | C] () -- C:\Documents and Settings\sjchopha\Desktop\SOLUTION.doc

[2010/08/04 14:47:06 | 000,000,578 | ---- | C] () -- C:\Documents and Settings\sjchopha\Desktop\iTool v1.0.lnk

[2010/08/02 12:06:23 | 000,002,137 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

[2010/08/02 12:04:39 | 000,001,615 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk

[2010/07/30 11:16:09 | 003,126,355 | ---- | C] () -- C:\Documents and Settings\sjchopha\My Documents\vsl30.zip

[2010/07/28 13:32:04 | 001,364,522 | ---- | C] () -- C:\Documents and Settings\sjchopha\My Documents\wrar393.exe

[2010/07/28 13:29:34 | 001,656,601 | ---- | C] () -- C:\Documents and Settings\sjchopha\My Documents\AiCharger_V10006_XpVistaWin7.zip

[2010/07/27 13:13:52 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\sjchopha\defogger_reenable

[2010/07/27 13:12:05 | 002,168,258 | ---- | C] () -- C:\Documents and Settings\sjchopha\My Documents\Download_Windows_AIO.rar

[2010/07/27 02:07:47 | 000,046,080 | ---- | C] () -- C:\Documents and Settings\sjchopha\Desktop\New Microsoft Word Document.doc

[2010/07/25 19:11:22 | 000,000,616 | -H-- | C] () -- C:\WINDOWS\tasks\ConfigExec.job

[2010/07/25 19:11:22 | 000,000,580 | -H-- | C] () -- C:\WINDOWS\tasks\DataUpload.job

[2010/07/25 18:13:14 | 000,001,996 | ---- | C] () -- C:\Documents and Settings\sjchopha\Desktop\Windows Compatibility Report.htm

[2010/07/25 18:11:33 | 000,001,908 | ---- | C] () -- C:\WINDOWS\diagwrn.xml

[2010/07/25 18:11:33 | 000,001,908 | ---- | C] () -- C:\WINDOWS\diagerr.xml

[2010/07/23 15:33:48 | 000,030,505 | ---- | C] () -- C:\Documents and Settings\sjchopha\My Documents\Malwarebytes_invoice.pdf

[2010/07/21 12:14:30 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_netaapl_01005.Wdf

[2010/07/21 12:14:27 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

[2010/07/21 02:41:15 | 000,000,284 | ---- | C] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job

[2010/04/05 09:32:49 | 000,004,767 | ---- | C] () -- C:\WINDOWS\Irremote.ini

[2010/04/04 09:32:49 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini

[2010/03/24 18:00:17 | 000,026,504 | ---- | C] () -- C:\WINDOWS\System32\drivers\swmsflt.sys

[2010/02/09 23:10:22 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS58.DLL

[2009/11/03 20:31:46 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI

[2009/09/11 13:26:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI

[2009/09/11 11:50:55 | 000,197,672 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll

[2009/09/11 11:50:54 | 000,189,480 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll

[2009/09/11 11:16:08 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini

[2009/05/16 20:19:10 | 000,008,784 | ---- | C] () -- C:\WINDOWS\System32\ractrlkeyhook.dll

[2008/10/20 11:13:41 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\jesterss.dll

[2008/10/20 11:09:37 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\tifmicon.dll

[2008/10/20 11:08:33 | 000,910,304 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll

[2008/10/20 11:08:33 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4814.dll

[2007/02/03 09:59:04 | 000,050,127 | ---- | C] () -- C:\WINDOWS\System32\lvcoinst.ini

[2006/06/27 01:59:05 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini

[2006/06/23 21:43:07 | 000,167,936 | R--- | C] () -- C:\WINDOWS\System32\GBInf.dll

[2006/06/22 15:07:41 | 000,001,272 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

[2006/06/22 15:07:41 | 000,000,495 | ---- | C] () -- C:\WINDOWS\System32\emver.ini

[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== Files - Unicode (All) ==========

[2010/01/11 00:20:07 | 000,000,027 | ---- | M] ()(C:\Documents and Settings\sjchopha\My Documents\Tu?ng th?n c?a vua C

Link to post
Share on other sites

Hi Elise,

Here is more logs.

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-08-09 18:54:59

Windows 5.1.2600 Service Pack 3

Running: f6ftk4qp.exe; Driver: C:\DOCUME~1\sjchopha\LOCALS~1\Temp\ufdcapod.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xB9C087B8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9C08676]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9C08610]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9C08624]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9C0868A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9C086B6]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9C08724]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9C0870E]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9C0873A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9C087F8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9C08766]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9C08662]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9C085D4]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9C085E8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB9C087CC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9C087A2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9C086F8]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9C086E2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9C086A0]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9C0878E]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9C0877A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9C0864E]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9C0863A]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9C086CC]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9C08827]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9C08750]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9C0880E]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9C087E2]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP B9C087E6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B9C087BC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP B9C087FC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP B9C08812 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP B9C087D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP B9C085D8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP B9C085EC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP B9C0863E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP B9C08628 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP B9C08614 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP B9C08652 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP B9C0882B mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EE 7 Bytes JMP B9C086E6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwSetValueKey 80621D3C 7 Bytes JMP B9C086D0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwUnloadKey 80622066 7 Bytes JMP B9C08754 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622904 7 Bytes JMP B9C086FC mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRenameKey 806231D8 7 Bytes JMP B9C086A4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwCreateKey 806237B6 5 Bytes JMP B9C0867A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteKey 80623C46 7 Bytes JMP B9C0868E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E16 7 Bytes JMP B9C086BA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF6 7 Bytes JMP B9C08728 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80624260 7 Bytes JMP B9C08712 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwOpenKey 80624B88 5 Bytes JMP B9C08666 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwQueryKey 80624EAE 7 Bytes JMP B9C087A6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwRestoreKey 8062516E 5 Bytes JMP B9C0877E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwLoadKey2 806255BE 7 Bytes JMP B9C0873E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwReplaceKey 80625862 5 Bytes JMP B9C08792 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8062597C 5 Bytes JMP B9C0876A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

.rsrc C:\WINDOWS\system32\drivers\hpn.sys entry point in ".rsrc" section [0xBA395934]

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB855D000, 0x19DA46, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0000

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0076

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF0F77

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF005B

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF0FA8

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0039

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F30

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF0F4B

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF00B8

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF009D

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF0F04

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF004A

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF0FE5

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF0F5C

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF0FC3

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF0FD4

.text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF0F1F

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DE0FD4

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DE0065

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DE0025

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DE000A

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DE0054

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DE0FEF

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DE0FB2

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FE, 88]

.text C:\WINDOWS\system32\svchost.exe[216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DE0FC3

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC003D

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC0FA8

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0022

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC0000

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC0FCD

.text C:\WINDOWS\system32\svchost.exe[216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC0011

.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DA0FEF

.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DA0FDE

.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DA0FC3

.text C:\WINDOWS\system32\svchost.exe[216] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DA0FB2

.text C:\WINDOWS\system32\svchost.exe[216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DB000A

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03E50FE5

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03E50F35

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03E50F50

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03E5002A

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03E50F61

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03E50F97

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03E50F09

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03E50F1A

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03E50EDD

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03E5006C

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03E50ECC

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03E50F86

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03E50FCA

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03E50045

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03E50FA8

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03E50FB9

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03E50EEE

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03E40036

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03E40FA5

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03E40025

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03E40FEF

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03E40FCA

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03E40000

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03E4006C

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03E40051

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03E30038

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] msvcrt.dll!system 77C293C7 5 Bytes JMP 03E30FAD

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03E3001D

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03E3000C

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03E30FBE

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03E30FE3

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03E20FE5

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03E10FEF

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03E10FD4

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03E10000

.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[812] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03E10FB9

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01400FEF

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01400078

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01400F83

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01400F94

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01400051

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0140002F

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0140009A

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01400F52

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01400F0B

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01400F1C

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014000B5

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01400040

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01400FDE

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01400089

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01400FC3

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01400014

.text C:\WINDOWS\system32\services.exe[1108] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01400F37

.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013F0FC3

.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013F0F8D

.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013F0FD4

.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013F0FEF

.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013F004A

.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013F0000

.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 013F0039

.text C:\WINDOWS\system32\services.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013F0FB2

.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013E0056

.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 013E0FC1

.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013E0FD2

.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013E0FE3

.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013E0027

.text C:\WINDOWS\system32\services.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013E000C

.text C:\WINDOWS\system32\services.exe[1108] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FE0000

.text C:\WINDOWS\system32\services.exe[1108] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FE0011

.text C:\WINDOWS\system32\services.exe[1108] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FE0FDB

.text C:\WINDOWS\system32\services.exe[1108] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FE0FCA

.text C:\WINDOWS\system32\services.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01370FEF

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01370039

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01370F4E

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01370F5F

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01370F7C

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01370FA8

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01370F1D

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01370065

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01370EFB

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01370F0C

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01370EE0

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01370F8D

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01370FDE

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0137004A

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01370014

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01370FC3

.text C:\WINDOWS\system32\lsass.exe[1120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01370080

.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E20025

.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E20F9E

.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E20FD4

.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E20FE5

.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E20FB9

.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E20000

.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E2005B

.text C:\WINDOWS\system32\lsass.exe[1120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E20040

.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E10F92

.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E1001D

.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E1000C

.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E10FEF

.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E10FAD

.text C:\WINDOWS\system32\lsass.exe[1120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E10FDE

.text C:\WINDOWS\system32\lsass.exe[1120] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E00FEF

.text C:\WINDOWS\system32\lsass.exe[1120] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DF0FE5

.text C:\WINDOWS\system32\lsass.exe[1120] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DF000A

.text C:\WINDOWS\system32\lsass.exe[1120] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DF001B

.text C:\WINDOWS\system32\lsass.exe[1120] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DF0040

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0FEF

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF007D

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF0F7E

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF0F9B

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF0058

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0FC0

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F63

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF00AB

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF00BC

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF0F23

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF00D7

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF0047

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF000A

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF008E

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF002C

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF001B

.text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF0F48

.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DE0FD4

.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DE0F97

.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DE0FEF

.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DE0025

.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DE0FA8

.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DE000A

.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00DE0FB9

.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [FE, 88]

.text C:\WINDOWS\system32\svchost.exe[1320] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DE0040

.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD0FA8

.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD0FC3

.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD0029

.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0FEF

.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD0FD4

.text C:\WINDOWS\system32\svchost.exe[1320] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0018

.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DB0000

.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DB0011

.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DB0022

.text C:\WINDOWS\system32\svchost.exe[1320] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DB0FD1

.text C:\WINDOWS\system32\svchost.exe[1320] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0000

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 015C0FEF

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 015C0F86

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 015C0FA1

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 015C007B

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 015C005E

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 015C0039

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 015C0F5F

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 015C00B1

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 015C00CC

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 015C0F33

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 015C0F18

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 015C0FBC

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 015C000A

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 015C00A0

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 015C0FCD

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 015C0FDE

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 015C0F4E

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 015B001B

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 015B0F9B

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 015B000A

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 015B0FD4

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 015B0058

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 015B0FE5

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 015B0047

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 015B002C

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 015A0FB2

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] msvcrt.dll!system 77C293C7 5 Bytes JMP 015A0033

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 015A0011

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] msvcrt.dll!_open 77C2F566 5 Bytes JMP 015A0FEF

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 015A0022

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 015A0000

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01590000

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01580000

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01580011

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01580FD1

.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[1352] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01580022

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01140FEF

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01140F8F

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01140084

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01140069

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01140FAC

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0114003D

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011400C1

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011400B0

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01140F4D

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011400E6

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01140F3C

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0114004E

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01140000

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01140095

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01140022

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01140011

.text C:\WINDOWS\system32\svchost.exe[1428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01140F5E

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01130FBC

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01130F9A

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01130FCD

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01130FDE

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01130057

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01130FEF

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01130FAB

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [33, 89]

.text C:\WINDOWS\system32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01130032

.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01120F9C

.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!system 77C293C7 5 Bytes JMP 01120FB7

.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01120FC8

.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01120FE3

.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01120027

.text C:\WINDOWS\system32\svchost.exe[1428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0112000C

.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FF0FEF

.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FF000A

.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FF001B

.text C:\WINDOWS\system32\svchost.exe[1428] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FF0040

.text C:\WINDOWS\system32\svchost.exe[1428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01110000

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80FEF

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A80076

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80F81

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80F92

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80FB9

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A80040

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A80F3F

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80091

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A80F13

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A800AC

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80F02

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80051

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80000

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A80F66

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A80FCA

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80011

.text C:\WINDOWS\system32\svchost.exe[1744] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A80F2E

.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A7002C

.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A7008E

.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A7001B

.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A70000

.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A70073

.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A70FE5

.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A70058

.text C:\WINDOWS\system32\svchost.exe[1744] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A70047

.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60FA5

.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60FC0

.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60FE5

.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60000

.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A6003A

.text C:\WINDOWS\system32\svchost.exe[1744] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A6001D

.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0FEF

.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C0FCA

.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0FB9

.text C:\WINDOWS\system32\svchost.exe[1744] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C0F9E

.text C:\WINDOWS\system32\svchost.exe[1744] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A5000A

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C8000A

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C8005B

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C80F66

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80040

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C80F83

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80FAF

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C80F35

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C8007D

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80F1A

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C800A9

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800C4

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80F94

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C8001B

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C8006C

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80FC0

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80FDB

.text C:\WINDOWS\system32\svchost.exe[1808] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C8008E

.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70025

.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F8D

.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C70FD4

.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FE5

.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C7004A

.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70000

.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70F9E

.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}

.text C:\WINDOWS\system32\svchost.exe[1808] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70FB9

.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60031

.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FA6

.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FC1

.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FEF

.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C6000C

.text C:\WINDOWS\system32\svchost.exe[1808] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FDE

.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001B0FEF

.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001B0FD4

.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001B0FB9

.text C:\WINDOWS\system32\svchost.exe[1808] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001B000A

.text C:\WINDOWS\system32\svchost.exe[1808] WS2_32.dll!socket 71AB4211 5 Bytes JMP 001C0000

.text C:\WINDOWS\System32\svchost.exe[1828] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A

.text C:\WINDOWS\System32\svchost.exe[1828] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A

.text C:\WINDOWS\System32\svchost.exe[1828] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05B70FEF

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05B70F83

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05B70078

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05B70051

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05B70040

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05B70FB9

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05B70F55

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05B7009D

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05B700B8

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05B70F29

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05B70F0E

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05B70FA8

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05B7000A

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05B70F72

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05B70025

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05B70FD4

.text C:\WINDOWS\System32\svchost.exe[1828] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05B70F3A

.text C:\WINDOWS\System32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 05B60FCA

.text C:\WINDOWS\System32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 05B60F9E

.text C:\WINDOWS\System32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 05B6001B

.text C:\WINDOWS\System32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 05B6000A

.text C:\WINDOWS\System32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 05B60FAF

.text C:\WINDOWS\System32\svchost.exe[1828] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 05B60FEF

.text C:\WINDOWS\System32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 05B60051

.text C:\WINDOWS\System32\svchost.exe[1828] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 05B60036

.text C:\WINDOWS\System32\svchost.exe[1828] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 019F000A

.text C:\WINDOWS\System32\svchost.exe[1828] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 05830049

.text C:\WINDOWS\System32\svchost.exe[1828] msvcrt.dll!system 77C293C7 5 Bytes JMP 05830FBE

.text C:\WINDOWS\System32\svchost.exe[1828] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0583002E

.text C:\WINDOWS\System32\svchost.exe[1828] msvcrt.dll!_open 77C2F566 5 Bytes JMP 05830000

.text C:\WINDOWS\System32\svchost.exe[1828] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 05830FD9

.text C:\WINDOWS\System32\svchost.exe[1828] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0583001D

.text C:\WINDOWS\System32\svchost.exe[1828] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01B60000

.text C:\WINDOWS\System32\svchost.exe[1828] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01B6001B

.text C:\WINDOWS\System32\svchost.exe[1828] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01B60040

.text C:\WINDOWS\System32\svchost.exe[1828] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01B60FEF

.text C:\WINDOWS\System32\svchost.exe[1828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01B70FEF

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80FEF

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80F88

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80073

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80062

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80FA5

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80FCA

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80F3C

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D80F57

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D800D5

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D800BA

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D800E6

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80047

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80014

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D8008E

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80036

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80025

.text C:\WINDOWS\system32\svchost.exe[2120] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D8009F

.text C:\WINDOWS\system32\svchost.exe[2120] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D70028

.text C:\WINDOWS\system32\svchost.exe[2120] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D70065

.text C:\WINDOWS\system32\svchost.exe[2120] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D70FCD

.text C:\WINDOWS\system32\svchost.exe[2120] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D70FDE

.text C:\WINDOWS\system32\svchost.exe[2120] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D70054

.text C:\WINDOWS\system32\svchost.exe[2120] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70FEF

.text C:\WINDOWS\system32\svchost.exe[2120] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D70043

.text C:\WINDOWS\system32\svchost.exe[2120] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D70FBC

.text C:\WINDOWS\system32\svchost.exe[2120] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D60066

.text C:\WINDOWS\system32\svchost.exe[2120] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D60055

.text C:\WINDOWS\system32\svchost.exe[2120] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D60029

.text C:\WINDOWS\system32\svchost.exe[2120] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D60FEF

.text C:\WINDOWS\system32\svchost.exe[2120] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D6003A

.text C:\WINDOWS\system32\svchost.exe[2120] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D60018

.text C:\WINDOWS\system32\svchost.exe[2120] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 001C0FE5

.text C:\WINDOWS\system32\svchost.exe[2120] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 001C000A

.text C:\WINDOWS\system32\svchost.exe[2120] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 001C0FD4

.text C:\WINDOWS\system32\svchost.exe[2120] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 001C002F

.text C:\WINDOWS\system32\wuauclt.exe[2224] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A

.text C:\WINDOWS\system32\wuauclt.exe[2224] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A

.text C:\WINDOWS\system32\wuauclt.exe[2224] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02D00000

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02D00F7C

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02D00F97

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02D00FA8

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02D00FB9

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02D00FD4

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02D000B8

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02D000A7

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02D00F3A

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02D00F55

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02D00F29

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02D00065

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02D00025

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02D0008C

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02D00FE5

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02D00040

.text C:\WINDOWS\system32\wuauclt.exe[2224] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02D000C9

.text C:\WINDOWS\system32\wuauclt.exe[2224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02CE0042

.text C:\WINDOWS\system32\wuauclt.exe[2224] msvcrt.dll!system 77C293C7 5 Bytes JMP 02CE0027

.text C:\WINDOWS\system32\wuauclt.exe[2224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02CE0FD2

.text C:\WINDOWS\system32\wuauclt.exe[2224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02CE0FEF

.text C:\WINDOWS\system32\wuauclt.exe[2224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02CE0FC1

.text C:\WINDOWS\system32\wuauclt.exe[2224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02CE000C

.text C:\WINDOWS\system32\wuauclt.exe[2224] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02CF0FC3

.text C:\WINDOWS\system32\wuauclt.exe[2224] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02CF0065

.text C:\WINDOWS\system32\wuauclt.exe[2224] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02CF0FD4

.text C:\WINDOWS\system32\wuauclt.exe[2224] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02CF0FEF

.text C:\WINDOWS\system32\wuauclt.exe[2224] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02CF0054

.text C:\WINDOWS\system32\wuauclt.exe[2224] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02CF0000

.text C:\WINDOWS\system32\wuauclt.exe[2224] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02CF0FB2

.text C:\WINDOWS\system32\wuauclt.exe[2224] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EF, 8A]

.text C:\WINDOWS\system32\wuauclt.exe[2224] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02CF0039

.text C:\WINDOWS\system32\wuauclt.exe[2224] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02CC000A

.text C:\WINDOWS\system32\wuauclt.exe[2224] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02CC0025

.text C:\WINDOWS\system32\wuauclt.exe[2224] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02CC0036

.text C:\WINDOWS\system32\wuauclt.exe[2224] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02CC0051

.text C:\WINDOWS\system32\wuauclt.exe[2224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02CD0FEF

.text C:\WINDOWS\Explorer.EXE[2892] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A

.text C:\WINDOWS\Explorer.EXE[2892] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A

.text C:\WINDOWS\Explorer.EXE[2892] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01190000

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01190FA0

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01190FC5

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0119009F

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0119008E

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0119006C

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01190F74

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011900BA

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011900F2

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011900E1

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01190103

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0119007D

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01190025

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01190F8F

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01190051

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01190036

.text C:\WINDOWS\Explorer.EXE[2892] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01190F63

.text C:\WINDOWS\Explorer.EXE[2892] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01180FCA

.text C:\WINDOWS\Explorer.EXE[2892] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0118006C

.text C:\WINDOWS\Explorer.EXE[2892] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0118001B

.text C:\WINDOWS\Explorer.EXE[2892] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01180FE5

.text C:\WINDOWS\Explorer.EXE[2892] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0118005B

.text C:\WINDOWS\Explorer.EXE[2892] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01180000

.text C:\WINDOWS\Explorer.EXE[2892] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01180040

.text C:\WINDOWS\Explorer.EXE[2892] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01180FB9

.text C:\WINDOWS\Explorer.EXE[2892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01170F86

.text C:\WINDOWS\Explorer.EXE[2892] msvcrt.dll!system 77C293C7 5 Bytes JMP 01170F97

.text C:\WINDOWS\Explorer.EXE[2892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01170FC3

.text C:\WINDOWS\Explorer.EXE[2892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01170FEF

.text C:\WINDOWS\Explorer.EXE[2892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01170FA8

.text C:\WINDOWS\Explorer.EXE[2892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01170FDE

.text C:\WINDOWS\Explorer.EXE[2892] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01150FE5

.text C:\WINDOWS\Explorer.EXE[2892] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01150FCA

.text C:\WINDOWS\Explorer.EXE[2892] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01150FB9

.text C:\WINDOWS\Explorer.EXE[2892] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01150000

.text C:\WINDOWS\Explorer.EXE[2892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01160000

.text C:\Program Files\MSN Messenger\msnmsgr.exe[3508] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\msnmsgr.exe (Messenger/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[1268] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405995] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

IAT C:\WINDOWS\system32\mfevtps.exe[1268] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004059CB] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHLWAPI.dll [uSER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!AnimateWindow] [61449D87] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenuEx] [61449B94] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcA] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColor] [61449C27] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!DefWindowProcW] [6144A3BA] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!GetSysColorBrush] [61449CF2] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[5492] @ C:\WINDOWS\system32\SHELL32.dll [uSER32.dll!TrackPopupMenu] [61449B56] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.SYS (Bytemobile Kernel Network Provider/Bytemobile, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Apricorn Snapshot API/Apricorn)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 89C9BD01

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\hpn.sys suspicious modification

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi, that looks like a nasty rootkit. Before starting to clean it, please read the following information:

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

Try this first:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Hi Elise,

Here's the logs. Please let me know what's next to do.

Thanks,

==============================================================================

2010/08/17 06:56:40.0890 TDSS rootkit removing tool 2.4.1.2 Aug 16 2010 09:46:23

2010/08/17 06:56:40.0890 ================================================================================

2010/08/17 06:56:40.0890 SystemInfo:

2010/08/17 06:56:40.0890

2010/08/17 06:56:40.0890 OS Version: 5.1.2600 ServicePack: 3.0

2010/08/17 06:56:40.0890 Product type: Workstation

2010/08/17 06:56:40.0890 ComputerName: MLGM6HPHAME295

2010/08/17 06:56:40.0890 UserName: sjchopha

2010/08/17 06:56:40.0890 Windows directory: C:\WINDOWS

2010/08/17 06:56:40.0890 System windows directory: C:\WINDOWS

2010/08/17 06:56:40.0890 Processor architecture: Intel x86

2010/08/17 06:56:40.0890 Number of processors: 2

2010/08/17 06:56:40.0890 Page size: 0x1000

2010/08/17 06:56:40.0890 Boot type: Normal boot

2010/08/17 06:56:40.0890 ================================================================================

2010/08/17 06:56:41.0281 Initialize success

2010/08/17 06:57:23.0718 ================================================================================

2010/08/17 06:57:23.0718 Scan started

2010/08/17 06:57:23.0718 Mode: Manual;

2010/08/17 06:57:23.0718 ================================================================================

2010/08/17 06:57:24.0125 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/08/17 06:57:24.0203 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/08/17 06:57:24.0218 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys

2010/08/17 06:57:24.0234 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/08/17 06:57:24.0312 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/08/17 06:57:24.0375 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys

2010/08/17 06:57:24.0453 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/08/17 06:57:24.0546 AgereSoftModem (ce91b158fa490cf4c4d487a4130f4660) C:\WINDOWS\system32\DRIVERS\AGRSM.sys

2010/08/17 06:57:24.0781 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/08/17 06:57:24.0812 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/08/17 06:57:24.0843 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/08/17 06:57:24.0921 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/08/17 06:57:25.0031 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/08/17 06:57:25.0093 AiCharger (e4054edd909d378465f578f770fb9a94) C:\WINDOWS\system32\DRIVERS\AiCharger.sys

2010/08/17 06:57:25.0171 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/08/17 06:57:25.0234 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/08/17 06:57:25.0265 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/08/17 06:57:25.0281 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/08/17 06:57:25.0343 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/08/17 06:57:25.0359 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/08/17 06:57:25.0406 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/08/17 06:57:25.0453 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/08/17 06:57:25.0593 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/08/17 06:57:25.0609 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/08/17 06:57:25.0734 ati2mtag (3b23691e9eef04de3364d9271371bbde) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

2010/08/17 06:57:25.0796 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/08/17 06:57:25.0890 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/08/17 06:57:25.0953 AX88772 (b1fa50acc4da75ab2bf54c139ca8d064) C:\WINDOWS\system32\DRIVERS\ax88772.sys

2010/08/17 06:57:26.0046 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/08/17 06:57:26.0109 CamDrL (0f5ca31bb3fdb5c1e63c170cfbecc93b) C:\WINDOWS\system32\DRIVERS\Camdrl.sys

2010/08/17 06:57:26.0359 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/08/17 06:57:26.0390 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/08/17 06:57:26.0421 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/08/17 06:57:26.0437 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/08/17 06:57:26.0531 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/08/17 06:57:26.0562 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/08/17 06:57:26.0593 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/08/17 06:57:26.0656 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/08/17 06:57:26.0671 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/08/17 06:57:26.0703 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/08/17 06:57:26.0734 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/08/17 06:57:26.0781 CVirtA (5c706c06c1279952d2cc1a609ca948bf) C:\WINDOWS\system32\DRIVERS\CVirtA.sys

2010/08/17 06:57:26.0921 CVPNDRVA (244b0408e9e20c734c97ce1e783d67ee) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys

2010/08/17 06:57:26.0984 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/08/17 06:57:27.0015 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/08/17 06:57:27.0187 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/08/17 06:57:27.0265 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/08/17 06:57:27.0312 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/08/17 06:57:27.0343 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/08/17 06:57:27.0390 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/08/17 06:57:27.0421 DNE (2eddbb3ef1dd5a28cb07c149d36e7286) C:\WINDOWS\system32\DRIVERS\dne2000.sys

2010/08/17 06:57:27.0437 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/08/17 06:57:27.0484 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/08/17 06:57:27.0546 e1express (56ec5e54140471ce2b8723d476614e55) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

2010/08/17 06:57:27.0828 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/08/17 06:57:27.0859 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys

2010/08/17 06:57:27.0890 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/08/17 06:57:27.0921 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys

2010/08/17 06:57:27.0937 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/08/17 06:57:27.0968 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/08/17 06:57:27.0984 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/08/17 06:57:28.0031 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

2010/08/17 06:57:28.0125 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/08/17 06:57:28.0156 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/08/17 06:57:28.0203 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

2010/08/17 06:57:28.0234 hpn (9317dfb52dc22cd683b2360a05756bbc) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/08/17 06:57:28.0234 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\hpn.sys. Real md5: 9317dfb52dc22cd683b2360a05756bbc, Fake md5: b028377dea0546a5fcfba928a8aefae0

2010/08/17 06:57:28.0234 hpn - detected Rootkit.Win32.TDSS.tdl3 (0)

2010/08/17 06:57:28.0281 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/08/17 06:57:28.0296 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/08/17 06:57:28.0328 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/08/17 06:57:28.0359 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/08/17 06:57:28.0625 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/08/17 06:57:28.0906 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\DRIVERS\IASTOR.SYS

2010/08/17 06:57:28.0968 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/08/17 06:57:29.0015 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/08/17 06:57:29.0125 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/08/17 06:57:29.0171 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/08/17 06:57:29.0203 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/08/17 06:57:29.0234 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/08/17 06:57:29.0265 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/08/17 06:57:29.0296 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/08/17 06:57:29.0328 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/08/17 06:57:29.0359 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/08/17 06:57:29.0484 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/08/17 06:57:29.0515 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/08/17 06:57:29.0531 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

2010/08/17 06:57:29.0562 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/08/17 06:57:29.0593 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/08/17 06:57:29.0671 LVUSBSta (64bc29c3a0388bfc580bb8b1346f7659) C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys

2010/08/17 06:57:29.0765 MBAMProtector (67b48a903430c6d4fb58cbaca1866601) C:\WINDOWS\system32\drivers\mbam.sys

2010/08/17 06:57:29.0953 mfeapfk (4d81c0e4ed846e9a70b881891a5598ab) C:\WINDOWS\system32\drivers\mfeapfk.sys

2010/08/17 06:57:29.0968 mfeavfk (ff75f47ec2a9ea3e780a9d08daba1276) C:\WINDOWS\system32\drivers\mfeavfk.sys

2010/08/17 06:57:30.0000 mfebopk (5a3b000fdccf826ffb74e76b0474c856) C:\WINDOWS\system32\drivers\mfebopk.sys

2010/08/17 06:57:30.0140 mfehidk (8e6b4e55d3a33b92693f7081ec018c39) C:\WINDOWS\system32\drivers\mfehidk.sys

2010/08/17 06:57:30.0265 mferkdet (fa097d72a439c3a387fe38a654df44c5) C:\WINDOWS\system32\drivers\mferkdet.sys

2010/08/17 06:57:30.0375 mfetdik (a45d0c099a478de5cbd0d6e8466becd5) C:\WINDOWS\system32\drivers\mfetdik.sys

2010/08/17 06:57:30.0484 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/08/17 06:57:30.0546 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/08/17 06:57:30.0562 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/08/17 06:57:30.0625 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

2010/08/17 06:57:30.0656 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/08/17 06:57:30.0671 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/08/17 06:57:30.0781 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/08/17 06:57:30.0843 MRxSmb (421f7b922cec5a5f340e7574a98f7b7c) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/08/17 06:57:31.0140 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/08/17 06:57:31.0171 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/08/17 06:57:31.0203 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/08/17 06:57:31.0250 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/08/17 06:57:31.0281 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/08/17 06:57:31.0343 MSTabBtn (dc2ce790c9b1c5b294c298b81d66fe65) C:\WINDOWS\system32\DRIVERS\mstabbtn.sys

2010/08/17 06:57:31.0437 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/08/17 06:57:31.0484 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/08/17 06:57:31.0531 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/08/17 06:57:31.0578 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/08/17 06:57:31.0671 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/08/17 06:57:31.0703 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/08/17 06:57:31.0750 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/08/17 06:57:31.0812 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/08/17 06:57:31.0859 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/08/17 06:57:31.0890 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/08/17 06:57:31.0921 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/08/17 06:57:32.0093 NETw4x32 (9eb7001200bc53dad5bc531f0e58970e) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys

2010/08/17 06:57:32.0187 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/08/17 06:57:32.0234 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/08/17 06:57:32.0281 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/08/17 06:57:32.0390 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/08/17 06:57:32.0437 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/08/17 06:57:32.0468 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/08/17 06:57:32.0515 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/08/17 06:57:32.0562 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys

2010/08/17 06:57:32.0593 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/08/17 06:57:32.0625 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/08/17 06:57:32.0703 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys

2010/08/17 06:57:32.0890 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/08/17 06:57:32.0953 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/08/17 06:57:33.0046 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys

2010/08/17 06:57:33.0125 PCTINDIS5 (351bd8c80b2c411ea5a122fcfed4d7c8) C:\WINDOWS\system32\PCTINDIS5.SYS

2010/08/17 06:57:33.0484 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/08/17 06:57:33.0578 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/08/17 06:57:33.0625 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/08/17 06:57:33.0656 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/08/17 06:57:33.0671 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/08/17 06:57:33.0703 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys

2010/08/17 06:57:33.0734 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/08/17 06:57:33.0750 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/08/17 06:57:33.0765 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/08/17 06:57:33.0796 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/08/17 06:57:33.0812 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/08/17 06:57:33.0843 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/08/17 06:57:33.0875 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/08/17 06:57:33.0921 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/08/17 06:57:33.0953 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/08/17 06:57:33.0984 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/08/17 06:57:34.0000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/08/17 06:57:34.0031 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/08/17 06:57:34.0046 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/08/17 06:57:34.0093 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/08/17 06:57:34.0140 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys

2010/08/17 06:57:34.0218 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2010/08/17 06:57:34.0281 s24trans (c26a053e4db47f6cdd8653c83aaf22ee) C:\WINDOWS\system32\DRIVERS\s24trans.sys

2010/08/17 06:57:34.0390 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/08/17 06:57:34.0421 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/08/17 06:57:34.0453 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/08/17 06:57:34.0500 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/08/17 06:57:34.0546 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/08/17 06:57:34.0609 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/08/17 06:57:34.0671 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/08/17 06:57:34.0718 snapman (784fb266fa306c19536c25dc3de687b0) C:\WINDOWS\system32\DRIVERS\snapman.sys

2010/08/17 06:57:34.0812 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/08/17 06:57:34.0875 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/08/17 06:57:34.0906 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/08/17 06:57:34.0968 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/08/17 06:57:35.0046 STHDA (cc314b6e5c2c73b849b57d3decd45bea) C:\WINDOWS\system32\drivers\sthda.sys

2010/08/17 06:57:35.0265 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/08/17 06:57:35.0328 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/08/17 06:57:35.0359 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/08/17 06:57:35.0421 swmsflt (851681f7d3200e2a646c5ee4d4e9883d) C:\WINDOWS\System32\drivers\swmsflt.sys

2010/08/17 06:57:35.0515 SWNC8U80 (ca27e8ce559a9c0acc4f9ea468acf414) C:\WINDOWS\system32\DRIVERS\swnc8u80.sys

2010/08/17 06:57:35.0718 SWUMX80 (e0042a561eeed484b5c831c2a50b7e8b) C:\WINDOWS\system32\DRIVERS\swumx80.sys

2010/08/17 06:57:35.0828 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/08/17 06:57:35.0875 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/08/17 06:57:35.0921 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/08/17 06:57:35.0953 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/08/17 06:57:36.0046 SynTP (cb01c7b5c9a9bf76c4dbd30256c4c001) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/08/17 06:57:36.0234 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/08/17 06:57:36.0296 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/08/17 06:57:36.0343 tcpipBM (6bad45e4c857e85b53c055e2614f0ca7) C:\WINDOWS\system32\drivers\tcpipBM.sys

2010/08/17 06:57:36.0437 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/08/17 06:57:36.0453 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/08/17 06:57:36.0484 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/08/17 06:57:36.0562 tifm21 (f779ba4cd37963ab4600c9871b7752a3) C:\WINDOWS\system32\drivers\tifm21.sys

2010/08/17 06:57:36.0765 tifsfilter (ce6e84d90b9ea73bb59cbafe00b09102) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys

2010/08/17 06:57:36.0828 timounter (96e3b3add78eda42fee7acf23bc2a450) C:\WINDOWS\system32\DRIVERS\timntr.sys

2010/08/17 06:57:36.0906 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/08/17 06:57:37.0062 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/08/17 06:57:37.0078 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/08/17 06:57:37.0156 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/08/17 06:57:37.0203 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

2010/08/17 06:57:37.0328 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

2010/08/17 06:57:37.0359 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/08/17 06:57:37.0406 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/08/17 06:57:37.0437 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/08/17 06:57:37.0531 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

2010/08/17 06:57:37.0609 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/08/17 06:57:37.0656 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/08/17 06:57:37.0687 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/08/17 06:57:37.0718 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/08/17 06:57:37.0765 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/08/17 06:57:37.0796 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/08/17 06:57:37.0812 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/08/17 06:57:37.0875 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys

2010/08/17 06:57:38.0031 WacomPen (aced8c149b30f8496c237bcba3727b48) C:\WINDOWS\system32\DRIVERS\wacompen.sys

2010/08/17 06:57:38.0062 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/08/17 06:57:38.0187 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/08/17 06:57:38.0312 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2010/08/17 06:57:38.0390 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys

2010/08/17 06:57:38.0437 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/08/17 06:57:38.0546 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/08/17 06:57:38.0593 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/08/17 06:57:38.0796 ================================================================================

2010/08/17 06:57:38.0796 Scan finished

2010/08/17 06:57:38.0796 ================================================================================

2010/08/17 06:57:38.0828 Detected object count: 1

2010/08/17 07:00:12.0843 hpn (9317dfb52dc22cd683b2360a05756bbc) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/08/17 07:00:12.0843 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\hpn.sys. Real md5: 9317dfb52dc22cd683b2360a05756bbc, Fake md5: b028377dea0546a5fcfba928a8aefae0

2010/08/17 07:00:13.0437 Backup copy found, using it..

2010/08/17 07:00:13.0531 C:\WINDOWS\system32\DRIVERS\hpn.sys - will be cured after reboot

2010/08/17 07:00:13.0531 Rootkit.Win32.TDSS.tdl3(hpn) - User select action: Cure

2010/08/17 07:00:39.0843 Deinitialize success

Link to post
Share on other sites

Hi Elise,

After ran TDSSKiller I tried to ran Combofix and here's the logs..

=========================================================================

ComboFix 10-08-16.04 - sjchopha 08/17/2010 7:21.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1420 [GMT -7:00]

Running from: c:\documents and settings\sjchopha\Desktop\ComboFix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\All Users\Application Data\Toolbar4

c:\program files\Search Toolbar

c:\program files\Search Toolbar\basis.xml

c:\program files\Search Toolbar\bg.bmp

c:\program files\Search Toolbar\bing_logo.png

c:\program files\Search Toolbar\celebrity.png

c:\program files\Search Toolbar\drop_images.png

c:\program files\Search Toolbar\drop_maps.png

c:\program files\Search Toolbar\drop_news.png

c:\program files\Search Toolbar\drop_videos.png

c:\program files\Search Toolbar\drop_web.png

c:\program files\Search Toolbar\facebook.png

c:\program files\Search Toolbar\favicon.png

c:\program files\Search Toolbar\games.png

c:\program files\Search Toolbar\hotmail.png

c:\program files\Search Toolbar\icon.ico

c:\program files\Search Toolbar\images.png

c:\program files\Search Toolbar\include.xml

c:\program files\Search Toolbar\info.txt

c:\program files\Search Toolbar\lifestyle.png

c:\program files\Search Toolbar\maps.png

c:\program files\Search Toolbar\messenger.png

c:\program files\Search Toolbar\msn.png

c:\program files\Search Toolbar\news.png

c:\program files\Search Toolbar\SearchToolbar.dll

c:\program files\Search Toolbar\SearchToolbarUninstall.exe

c:\program files\Search Toolbar\tbcore3.dll

c:\program files\Search Toolbar\tbhelper.dll

c:\program files\Search Toolbar\twitter.png

c:\program files\Search Toolbar\uninstall.exe

c:\program files\Search Toolbar\update.exe

c:\program files\Search Toolbar\version.txt

c:\program files\Search Toolbar\video.png

c:\program files\Search Toolbar\videos.png

c:\program files\Search Toolbar\weather.png

c:\program files\Search Toolbar\web.png

c:\windows\Downloaded Program Files\x64

c:\windows\Downloaded Program Files\x64\racodec.ax

c:\windows\Downloaded Program Files\x86

c:\windows\Downloaded Program Files\x86\racodec.ax

c:\windows\system32\18467.exe

c:\windows\system32\26500.exe

c:\windows\system32\6334.exe

c:\windows\system32\Thumbs.db

c:\windows\system32\gotomon.log . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://sjcnt075.americas.ad.flextronics.com

hxxp://download.yimg.com

Infected copy of c:\windows\system32\drivers\ntfs.sys was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\ntfs.sys

.

((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))

.

2010-08-09 02:59 . 2010-08-09 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON

2010-08-09 02:58 . 2007-12-06 17:08 86528 ----a-w- c:\windows\system32\E_FLBEQA.DLL

2010-08-09 02:58 . 2007-12-06 17:01 78848 ----a-w- c:\windows\system32\E_FD4BEQA.DLL

2010-08-09 02:56 . 2007-07-13 07:00 71680 ----a-w- c:\windows\system32\escwiad.dll

2010-08-04 22:41 . 2010-08-10 23:30 71688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-04 21:48 . 2010-08-06 23:46 -------- d-----w- c:\documents and settings\sjchopha\.shsh

2010-08-03 15:50 . 2010-08-03 15:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo

2010-08-03 15:50 . 2010-08-03 15:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!

2010-08-03 15:43 . 2010-08-04 22:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2010-08-03 15:43 . 2010-08-04 22:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer

2010-08-03 15:43 . 2010-08-03 15:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\AT&T

2010-08-02 19:05 . 2010-08-02 19:05 -------- d-----w- c:\program files\iPod

2010-08-02 19:05 . 2010-08-02 19:06 -------- d-----w- c:\program files\iTunes

2010-08-02 19:03 . 2010-08-02 19:03 -------- d-----w- c:\program files\Apple Software Update

2010-08-02 19:01 . 2010-08-02 19:01 -------- d-----w- c:\program files\Bonjour

2010-08-02 10:13 . 2010-08-02 10:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-28 20:34 . 2010-07-28 20:34 -------- d-----w- c:\program files\ASUS

2010-07-28 20:34 . 2010-05-05 23:38 13224 ----a-w- c:\windows\system32\drivers\AiCharger.sys

2010-07-28 00:34 . 2010-07-28 00:34 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-28 00:33 . 2010-07-28 00:33 -------- d-----w- c:\windows\CD95F661A5C444F5A6AAECDD91C240B5.TMP

2010-07-28 00:33 . 2010-07-28 00:33 -------- d-----w- c:\program files\Citrix

2010-07-28 00:33 . 2010-07-28 00:33 -------- d-----w- c:\program files\Readon Technology

2010-07-28 00:32 . 2010-07-28 00:32 -------- d-----w- c:\program files\Common Files\Research in Motion

2010-07-28 00:32 . 2010-07-28 00:32 -------- d-----w- c:\program files\AT&T

2010-07-28 00:32 . 2010-07-28 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T

2010-07-27 19:19 . 2010-07-27 19:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee

2010-07-27 19:19 . 2010-07-27 19:19 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-07-27 09:10 . 2010-07-28 00:12 -------- d-----w- C:\RECYCLER(2)

2010-07-26 02:12 . 2010-07-26 02:12 -------- d-----w- c:\documents and settings\sjchopha\Local Settings\Application Data\FixItCenter

2010-07-26 02:08 . 2010-07-28 00:12 -------- d-----w- c:\windows\MATS

2010-07-26 02:08 . 2010-07-28 00:12 -------- d-----w- c:\program files\Microsoft Fix it Center

2010-07-26 01:55 . 2010-07-26 01:55 -------- d-----w- C:\cabs

2010-07-26 01:48 . 2010-07-26 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz

2010-07-26 01:47 . 2010-07-26 01:47 -------- d-----w- c:\program files\Driver Whiz

2010-07-26 00:52 . 2010-07-28 00:13 -------- d-----w- c:\program files\Citrix(3)

2010-07-26 00:51 . 2010-07-28 00:13 -------- d-----w- c:\program files\iTunes(4)

2010-07-26 00:51 . 2010-07-28 00:13 -------- d-----w- c:\program files\iPod(4)

2010-07-22 19:11 . 2010-07-28 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-22 14:59 . 2010-08-09 01:37 -------- d-----w- c:\program files\Windows Live Safety Center

2010-07-21 16:55 . 2010-08-04 21:47 -------- d-----w- C:\Simple I Tool

2010-07-21 10:22 . 2010-07-28 00:23 -------- d-----w- c:\program files\iPod(3)

2010-07-21 10:18 . 2010-07-28 00:23 -------- d-----w- c:\program files\Apple Software Update(3)

2010-07-21 10:17 . 2010-07-28 00:23 -------- d-----w- c:\program files\Bonjour(3)

2010-07-21 09:45 . 2010-07-28 00:23 -------- d-----w- c:\program files\iTunes(3)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-17 14:06 . 2009-11-25 05:57 4904 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2010-08-17 14:01 . 2006-06-27 08:53 25952 ----a-w- c:\windows\system32\drivers\hpn.sys

2010-08-17 13:45 . 2008-10-20 18:02 -------- d-----w- c:\program files\Java

2010-08-16 10:58 . 2010-03-19 02:50 -------- d-----w- c:\documents and settings\sjchopha\Application Data\vlc

2010-08-13 16:08 . 2010-01-02 19:16 -------- d-----w- c:\program files\JDownloader

2010-08-13 05:38 . 2009-10-23 03:19 71688 ----a-w- c:\documents and settings\sjchopha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-12 18:18 . 2009-10-01 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-03 18:28 . 2009-10-23 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-08-02 19:05 . 2009-10-24 14:47 -------- d-----w- c:\program files\Common Files\Apple

2010-08-02 19:04 . 2009-12-16 08:38 -------- d-----w- c:\program files\QuickTime

2010-08-02 19:04 . 2009-10-24 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-08-02 10:13 . 2009-10-26 06:41 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-28 20:34 . 2006-06-24 04:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-28 00:34 . 2010-04-30 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-07-28 00:34 . 2009-11-21 01:11 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-07-28 00:34 . 2009-11-21 01:11 -------- d-----w- c:\program files\DivX

2010-07-28 00:33 . 2010-05-12 16:45 -------- d-----w- c:\program files\Google

2010-07-28 00:33 . 2010-05-18 01:25 -------- d-----w- c:\program files\Readon Technology(2)

2010-07-28 00:33 . 2010-05-20 22:09 -------- d-----w- c:\program files\Bonjour(2)

2010-07-28 00:31 . 2010-05-21 18:28 -------- d-----w- c:\program files\iPod(2)

2010-07-28 00:31 . 2010-05-21 18:28 -------- d-----w- c:\program files\iTunes(2)

2010-07-28 00:31 . 2010-05-21 18:27 -------- d-----w- c:\program files\Apple Software Update(2)

2010-07-28 00:26 . 2008-10-20 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-07-28 00:25 . 2010-05-27 03:23 -------- d-----w- c:\program files\Citrix(2)

2010-07-21 19:14 . 2010-07-21 19:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf

2010-07-21 19:14 . 2010-07-21 19:14 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2010-07-16 15:19 . 2010-07-16 15:19 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe

2009-10-24 03:15 . 2009-10-24 03:15 81408 ----a-w- c:\program files\taskkill.exe

2009-10-23 03:07 . 2010-03-23 17:10 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

2010-04-18 23:31 . 2010-04-18 23:27 24 --sh--w- c:\windows\S50D0A73E.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-10-01 258856]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-10-16 124224]

"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-06-10 33280]

"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2008-12-26 1169264]

"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2008-12-26 1949480]

"Apricorn Scheduler Service"="c:\program files\Common Files\Apricorn\Schedule2\schedhlp.exe" [2008-12-26 148712]

"ASUS Ai Charger"="c:\program files\ASUS\ASUS Ai Charger\AiChargerAP.exe" [2010-05-10 465536]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Add_These_Administrative_Groups.txt [2009-9-11 1191]

c:\documents and settings\Desktop\Start Menu\Programs\Startup\

Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2009-9-11 153352]

c:\documents and settings\sjchopha\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Flextronics VPN Client.lnk - c:\program files\Flextronics VPN Client\vpngui.exe [2009-9-11 1524776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2008-10-01 00:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]

2008-04-14 12:41 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]

2002-08-29 18:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]

2008-04-14 12:42 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-329068152-789336058-725345543-246897\Scripts\Logon\0\0]

"Script"=Runme.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-329068152-789336058-725345543-99290\Scripts\Logon\0\0]

"Script"=Runme.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AllAlertsDisabled"=dword:00000001

"TermService"=dword:00000001

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Documents and Settings\\sjchopha\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=

"c:\\Program Files\\iCamSource\\iCamSource.exe"=

"c:\\Documents and Settings\\sjchopha\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=

"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

"c:\\Program Files\\Readon Technology\\Readon TV Movie Radio Player 6.3.1.0\\internettv.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Simple I Tool\\umbrella-4.00.06.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Documents and Settings\\sjchopha\\My Documents\\Iphone SW\\umbrella-4.01\\umbrella-4.01.07.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 AiCharger;ASUS Charger Driver;c:\windows\system32\drivers\AiCharger.sys [7/28/2010 1:34 PM 13224]

R2 FlexInvSvc;Flextronics Inventory Service;c:\program files\Flextronics Int\FlexInvSVC\FlexInvService.exe [10/12/2009 6:36 PM 77824]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/22/2010 6:23 AM 304464]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [10/22/2009 8:07 PM 21256]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/23/2010 10:10 AM 70728]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/22/2010 6:22 AM 20952]

R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [10/20/2008 11:59 AM 10496]

R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [10/20/2008 11:02 AM 14208]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [5/23/2008 5:01 PM 106496]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/23/2010 10:10 AM 65448]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [1/10/2008 4:58 PM 165248]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [1/10/2008 4:59 PM 142976]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [6/22/2006 3:06 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

2010-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2009-09-11 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-23 12:42]

2009-09-11 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-23 12:42]

2009-09-11 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-23 12:42]

2010-08-17 c:\windows\Tasks\User_Feed_Synchronization-{83548D6D-EBE1-4918-9707-FF226A33C210}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=Gateway%20Viper-SR

uInternet Settings,ProxyServer = http=127.0.0.1:5555

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

LSP: bmnet.dll

DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom1.flextronics.com/eRoomSetup/client.cab

FF - ProfilePath - c:\documents and settings\sjchopha\Application Data\Mozilla\Firefox\Profiles\n27v90nh.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://bing.zugo.com/?cfg=2-80-0-NQI9

FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=

FF - component: c:\documents and settings\sjchopha\Application Data\Mozilla\Firefox\Profiles\n27v90nh.default\extensions\{896642E4-C556-4ED3-85D1-9AC431603E7D}\components\Engine.dll

FF - plugin: c:\documents and settings\sjchopha\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\sjchopha\Application Data\Move Networks\plugins\npqmp071705000014.dll

FF - plugin: c:\documents and settings\sjchopha\Local Settings\Application Data\Yahoo!\BrowserPlus\2.4.17\Plugins\npybrowserplus_2.4.17.dll

FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)

WebBrowser-{0C8413C1-FAD1-446C-8584-BE50576F863E} - c:\program files\Search Toolbar\tbcore3.dll

Notify-NavLogon - (no file)

SafeBoot-klmdb.sys

AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe

AddRemove-Cisco Unified Presenter Add-in 6x5 - c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\ciscounifiedaddin6x5\ciscounifiedaddin6x5 -uninstall

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-17 07:30

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,d8,57,f8,ec,5f,0d,49,b4,5a,4e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,d8,57,f8,ec,5f,0d,49,b4,5a,4e,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'lsass.exe'(1124)

c:\windows\system32\relog_ap.dll

c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(688)

c:\windows\system32\WININET.dll

c:\program files\windows journal\nbmaptip.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Common Files\Apricorn\Schedule2\schedul2.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\system32\bmwebcfg.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Flextronics VPN Client\cvpnd.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\McAfee\VirusScan Enterprise\mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\windows\SYSTEM32\WISPTIS.EXE

c:\windows\System32\tabbtnu.exe

c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe

c:\program files\Citrix\GoToMyPC\g2comm.exe

c:\program files\Citrix\GoToMyPC\g2pre.exe

c:\program files\Citrix\GoToMyPC\g2tray.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2010-08-17 07:39:21 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-17 14:39

Pre-Run: 245,283,467,264 bytes free

Post-Run: 245,429,686,272 bytes free

- - End Of File - - 681E03159C1E7E697293BD31987B7065

Link to post
Share on other sites

Hello again,

That took out a lot of bad stuff, well done. :)

Please let me know how things are running after the following fix.

CF-SCRIPT

-------------

We need to execute a CF-script.

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Link to post
Share on other sites

Hi Elise,

After I ran tdsskiller & combofix my laptop so far I don't see the Anti-Malware pop up any more and I able to do windown update also. Thank you alot for your help. I tried to removed the Java before please let's me know which one I need redownload. Below is the newer ComboFix.txt

========================================================================

ComboFix 10-08-16.04 - sjchopha 08/17/2010 8:55.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1402 [GMT -7:00]

Running from: c:\documents and settings\sjchopha\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\sjchopha\Desktop\CFScript.txt

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\gotomon.log . . . . failed to delete

.

((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))

.

2010-08-17 14:57 . 2010-06-24 12:21 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2010-08-17 14:56 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

2010-08-09 02:59 . 2010-08-09 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON

2010-08-09 02:58 . 2007-12-06 17:08 86528 ----a-w- c:\windows\system32\E_FLBEQA.DLL

2010-08-09 02:58 . 2007-12-06 17:01 78848 ----a-w- c:\windows\system32\E_FD4BEQA.DLL

2010-08-09 02:56 . 2007-07-13 07:00 71680 ----a-w- c:\windows\system32\escwiad.dll

2010-08-04 22:41 . 2010-08-10 23:30 71688 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-04 21:48 . 2010-08-06 23:46 -------- d-----w- c:\documents and settings\sjchopha\.shsh

2010-08-03 15:50 . 2010-08-03 15:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo

2010-08-03 15:50 . 2010-08-03 15:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Yahoo!

2010-08-03 15:43 . 2010-08-04 22:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer

2010-08-03 15:43 . 2010-08-04 22:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Apple Computer

2010-08-03 15:43 . 2010-08-03 15:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\AT&T

2010-08-02 19:05 . 2010-08-02 19:05 -------- d-----w- c:\program files\iPod

2010-08-02 19:05 . 2010-08-02 19:06 -------- d-----w- c:\program files\iTunes

2010-08-02 19:03 . 2010-08-02 19:03 -------- d-----w- c:\program files\Apple Software Update

2010-08-02 19:01 . 2010-08-02 19:01 -------- d-----w- c:\program files\Bonjour

2010-08-02 10:13 . 2010-08-02 10:15 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2010-07-28 20:34 . 2010-07-28 20:34 -------- d-----w- c:\program files\ASUS

2010-07-28 20:34 . 2010-05-05 23:38 13224 ----a-w- c:\windows\system32\drivers\AiCharger.sys

2010-07-28 00:34 . 2010-07-28 00:34 -------- d-----w- c:\windows\system32\wbem\Repository

2010-07-28 00:33 . 2010-07-28 00:33 -------- d-----w- c:\windows\CD95F661A5C444F5A6AAECDD91C240B5.TMP

2010-07-28 00:33 . 2010-07-28 00:33 -------- d-----w- c:\program files\Citrix

2010-07-28 00:33 . 2010-07-28 00:33 -------- d-----w- c:\program files\Readon Technology

2010-07-28 00:32 . 2010-07-28 00:32 -------- d-----w- c:\program files\Common Files\Research in Motion

2010-07-28 00:32 . 2010-07-28 00:32 -------- d-----w- c:\program files\AT&T

2010-07-28 00:32 . 2010-07-28 00:32 -------- d-----w- c:\documents and settings\All Users\Application Data\AT&T

2010-07-27 19:19 . 2010-07-27 19:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\McAfee

2010-07-27 19:19 . 2010-07-27 19:19 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2010-07-27 09:10 . 2010-07-28 00:12 -------- d-----w- C:\RECYCLER(2)

2010-07-26 02:12 . 2010-07-26 02:12 -------- d-----w- c:\documents and settings\sjchopha\Local Settings\Application Data\FixItCenter

2010-07-26 02:08 . 2010-07-28 00:12 -------- d-----w- c:\windows\MATS

2010-07-26 02:08 . 2010-07-28 00:12 -------- d-----w- c:\program files\Microsoft Fix it Center

2010-07-26 01:55 . 2010-07-26 01:55 -------- d-----w- C:\cabs

2010-07-26 01:48 . 2010-07-26 01:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Driver Whiz

2010-07-26 01:47 . 2010-07-26 01:47 -------- d-----w- c:\program files\Driver Whiz

2010-07-26 00:52 . 2010-07-28 00:13 -------- d-----w- c:\program files\Citrix(3)

2010-07-26 00:51 . 2010-07-28 00:13 -------- d-----w- c:\program files\iTunes(4)

2010-07-26 00:51 . 2010-07-28 00:13 -------- d-----w- c:\program files\iPod(4)

2010-07-22 19:11 . 2010-07-28 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-22 14:59 . 2010-08-09 01:37 -------- d-----w- c:\program files\Windows Live Safety Center

2010-07-21 16:55 . 2010-08-04 21:47 -------- d-----w- C:\Simple I Tool

2010-07-21 10:22 . 2010-07-28 00:23 -------- d-----w- c:\program files\iPod(3)

2010-07-21 10:18 . 2010-07-28 00:23 -------- d-----w- c:\program files\Apple Software Update(3)

2010-07-21 10:17 . 2010-07-28 00:23 -------- d-----w- c:\program files\Bonjour(3)

2010-07-21 09:45 . 2010-07-28 00:23 -------- d-----w- c:\program files\iTunes(3)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-08-17 15:37 . 2009-11-25 05:57 4912 ----a-w- c:\windows\system32\PerfStringBackup.TMP

2010-08-17 15:32 . 2010-01-26 07:54 -------- d-----w- c:\program files\Microsoft Silverlight

2010-08-17 15:04 . 2008-10-20 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-08-17 14:01 . 2006-06-27 08:53 25952 ----a-w- c:\windows\system32\drivers\hpn.sys

2010-08-17 13:45 . 2008-10-20 18:02 -------- d-----w- c:\program files\Java

2010-08-16 10:58 . 2010-03-19 02:50 -------- d-----w- c:\documents and settings\sjchopha\Application Data\vlc

2010-08-13 16:08 . 2010-01-02 19:16 -------- d-----w- c:\program files\JDownloader

2010-08-13 05:38 . 2009-10-23 03:19 71688 ----a-w- c:\documents and settings\sjchopha\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-08-12 18:18 . 2009-10-01 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-08-03 18:28 . 2009-10-23 13:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2010-08-02 19:05 . 2009-10-24 14:47 -------- d-----w- c:\program files\Common Files\Apple

2010-08-02 19:04 . 2009-12-16 08:38 -------- d-----w- c:\program files\QuickTime

2010-08-02 19:04 . 2009-10-24 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

2010-08-02 10:13 . 2009-10-26 06:41 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-07-28 20:34 . 2006-06-24 04:44 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-28 00:34 . 2010-04-30 06:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-07-28 00:34 . 2009-11-21 01:11 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-07-28 00:34 . 2009-11-21 01:11 -------- d-----w- c:\program files\DivX

2010-07-28 00:33 . 2010-05-12 16:45 -------- d-----w- c:\program files\Google

2010-07-28 00:33 . 2010-05-18 01:25 -------- d-----w- c:\program files\Readon Technology(2)

2010-07-28 00:33 . 2010-05-20 22:09 -------- d-----w- c:\program files\Bonjour(2)

2010-07-28 00:31 . 2010-05-21 18:28 -------- d-----w- c:\program files\iPod(2)

2010-07-28 00:31 . 2010-05-21 18:28 -------- d-----w- c:\program files\iTunes(2)

2010-07-28 00:31 . 2010-05-21 18:27 -------- d-----w- c:\program files\Apple Software Update(2)

2010-07-28 00:25 . 2010-05-27 03:23 -------- d-----w- c:\program files\Citrix(2)

2010-07-21 19:14 . 2010-07-21 19:14 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_netaapl_01005.Wdf

2010-07-21 19:14 . 2010-07-21 19:14 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2010-07-16 15:19 . 2010-07-16 15:19 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe

2010-06-30 12:31 . 2006-06-22 22:06 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-24 12:22 . 2006-06-22 22:07 916480 ----a-w- c:\windows\system32\wininet.dll

2010-06-23 13:44 . 2006-06-22 22:07 1851904 ----a-w- c:\windows\system32\win32k.sys

2010-06-21 15:27 . 2006-06-22 22:06 354304 ----a-w- c:\windows\system32\drivers\srv.sys

2010-06-17 14:03 . 2006-06-22 22:06 80384 ----a-w- c:\windows\system32\iccvid.dll

2010-06-14 14:31 . 2006-06-23 05:17 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe

2010-06-14 07:41 . 2006-06-22 22:06 1172480 ----a-w- c:\windows\system32\msxml3.dll

2009-10-24 03:15 . 2009-10-24 03:15 81408 ----a-w- c:\program files\taskkill.exe

2009-10-23 03:07 . 2010-03-23 17:10 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

2010-04-18 23:31 . 2010-04-18 23:27 24 --sh--w- c:\windows\S50D0A73E.tmp

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GoToMyPC"="c:\program files\Citrix\GoToMyPC\g2svc.exe" [2008-10-01 258856]

"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-09-25 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-10-16 124224]

"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-06-10 33280]

"EZGigMonitor.exe"="c:\program files\Apricorn\EZ Gig II\EZGigMonitor.exe" [2008-12-26 1169264]

"AcronisTimounterMonitor"="c:\program files\Apricorn\EZ Gig II\TimounterMonitor.exe" [2008-12-26 1949480]

"Apricorn Scheduler Service"="c:\program files\Common Files\Apricorn\Schedule2\schedhlp.exe" [2008-12-26 148712]

"ASUS Ai Charger"="c:\program files\ASUS\ASUS Ai Charger\AiChargerAP.exe" [2010-05-10 465536]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Add_These_Administrative_Groups.txt [2009-9-11 1191]

c:\documents and settings\Desktop\Start Menu\Programs\Startup\

Monitor My eRooms (V7).lnk - c:\program files\eRoom 7\ERClient7.exe [2009-9-11 153352]

c:\documents and settings\sjchopha\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Flextronics VPN Client.lnk - c:\program files\Flextronics VPN Client\vpngui.exe [2009-9-11 1524776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]

2008-10-01 00:04 10536 ----a-w- c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]

2008-04-14 12:41 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\loginkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]

2002-08-29 18:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]

2008-04-14 12:42 32256 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-329068152-789336058-725345543-246897\Scripts\Logon\0\0]

"Script"=Runme.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-329068152-789336058-725345543-99290\Scripts\Logon\0\0]

"Script"=Runme.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AllAlertsDisabled"=dword:00000001

"TermService"=dword:00000001

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Documents and Settings\\sjchopha\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=

"c:\\Program Files\\iCamSource\\iCamSource.exe"=

"c:\\Documents and Settings\\sjchopha\\temp\\TeamViewer\\Version5\\TeamViewer.exe"=

"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=

"c:\\Program Files\\Readon Technology\\Readon TV Movie Radio Player 6.3.1.0\\internettv.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Simple I Tool\\umbrella-4.00.06.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

"c:\\Documents and Settings\\sjchopha\\My Documents\\Iphone SW\\umbrella-4.01\\umbrella-4.01.07.exe"=

"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 AiCharger;ASUS Charger Driver;c:\windows\system32\drivers\AiCharger.sys [7/28/2010 1:34 PM 13224]

R2 FlexInvSvc;Flextronics Inventory Service;c:\program files\Flextronics Int\FlexInvSVC\FlexInvService.exe [10/12/2009 6:36 PM 77824]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/22/2010 6:23 AM 304464]

R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [10/22/2009 8:07 PM 21256]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/23/2010 10:10 AM 70728]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/22/2010 6:22 AM 20952]

R3 MSTabBtn;Quanta Computer Tablet PC Buttons HID Driver;c:\windows\system32\drivers\mstabbtn.sys [10/20/2008 11:59 AM 10496]

R3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [10/20/2008 11:02 AM 14208]

S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [5/23/2008 5:01 PM 106496]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/23/2010 10:10 AM 65448]

S3 SWNC8U80;Sierra Wireless MUX NDIS Driver (UMTS80);c:\windows\system32\drivers\swnc8u80.sys [1/10/2008 4:58 PM 165248]

S3 SWUMX80;Sierra Wireless USB MUX Driver (UMTS80);c:\windows\system32\drivers\swumx80.sys [1/10/2008 4:59 PM 142976]

S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [6/22/2006 3:06 PM 14336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

WINRM REG_MULTI_SZ WINRM

.

Contents of the 'Scheduled Tasks' folder

2010-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2009-09-11 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-23 12:42]

2009-09-11 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-23 12:42]

2009-09-11 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2006-06-23 12:42]

2010-08-17 c:\windows\Tasks\User_Feed_Synchronization-{83548D6D-EBE1-4918-9707-FF226A33C210}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Professional&Br=GTW&Loc=ENG_US&Sys=PTB&M=Gateway%20Viper-SR

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

LSP: bmnet.dll

DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/US/TechConsole/x86/RescueControl.cab

DPF: {6E2510E6-BF2D-4C78-9F28-2F5C8760F124} - hxxps://eroom1.flextronics.com/eRoomSetup/client.cab

FF - ProfilePath - c:\documents and settings\sjchopha\Application Data\Mozilla\Firefox\Profiles\n27v90nh.default\

FF - prefs.js: browser.search.selectedEngine - Bing

FF - prefs.js: browser.startup.homepage - hxxp://bing.zugo.com/?cfg=2-80-0-NQI9

FF - prefs.js: keyword.URL - hxxp://bing.zugotoolbar.com/s/?iesrc=IE-Address&site=Bing&q=

FF - component: c:\documents and settings\sjchopha\Application Data\Mozilla\Firefox\Profiles\n27v90nh.default\extensions\{896642E4-C556-4ED3-85D1-9AC431603E7D}\components\Engine.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-08-17 09:06

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,d8,57,f8,ec,5f,0d,49,b4,5a,4e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,74,d8,57,f8,ec,5f,0d,49,b4,5a,4e,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'lsass.exe'(1120)

c:\windows\system32\relog_ap.dll

c:\windows\system32\bmnet.dll

- - - - - - - > 'explorer.exe'(3648)

c:\windows\system32\WININET.dll

c:\program files\windows journal\nbmaptip.dll

c:\windows\IME\SPGRMR.DLL

c:\windows\system32\ieframe.dll

c:\program files\McAfee\Common Framework\McTrayLegacySupportPlugin.dll

c:\program files\McAfee\Common Framework\McTrayInterfaceLib.dll

c:\program files\McAfee\Common Framework\McAfeeWin32GUISupportDLL.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\WinSCP\DragExt.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

c:\program files\Common Files\Apricorn\Schedule2\schedul2.exe

c:\windows\system32\agrsmsvc.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\windows\system32\bmwebcfg.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Flextronics VPN Client\cvpnd.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\McAfee\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe

c:\program files\McAfee\Common Framework\naPrdMgr.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\McAfee\VirusScan Enterprise\mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\mfeann.exe

c:\windows\SYSTEM32\WISPTIS.EXE

c:\windows\System32\tabbtnu.exe

c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe

c:\program files\McAfee\Common Framework\McTray.exe

c:\program files\Citrix\GoToMyPC\g2comm.exe

c:\program files\Citrix\GoToMyPC\g2pre.exe

c:\program files\Citrix\GoToMyPC\g2tray.exe

c:\program files\iPod\bin\iPodService.exe

c:\progra~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2010-08-17 09:13:45 - machine was rebooted

ComboFix-quarantined-files.txt 2010-08-17 16:13

ComboFix2.txt 2010-08-17 14:39

Pre-Run: 243,540,267,008 bytes free

Post-Run: 243,455,152,128 bytes free

- - End Of File - - 562243D8349AF9DF9A9C882B9461D8A9

Link to post
Share on other sites

Hello again,

UPDATE JAVA

------------------

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 21 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.

-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please launch MBAM, update it and run a full scan. Please post me the resulting log.

Link to post
Share on other sites

Hi Elise,

Here's the MBAN result logs.

===========================================================================

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4440

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

8/17/2010 2:46:10 PM

mbam-log-2010-08-17 (14-46-10).txt

Scan type: Full scan (C:\|)

Objects scanned: 271087

Time elapsed: 2 hour(s), 2 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP375\A0078821.sys (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP376\A0079863.sys (Trojan.Agent.Gen) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Hi thee,

Do you have any problems left?

ESET ONLINE SCANNER

----------------------------

I'd like us to scan your machine with ESET OnlineScan

  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the esetOnline.png button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    1. Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.

    3. Check esetAcceptTerms.png
    4. Click the esetStart.png button.
    5. Accept any security warnings from your browser.
    6. Check esetScanArchives.png
    7. Push the Start button.
    8. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    9. When the scan completes, push esetListThreats.png
    10. Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
      Note - when ESET doesn't find any threats, no report will be created.
    11. Push the esetBack.png button.
    12. Push esetFinish.png

Link to post
Share on other sites

Hi Elise,

Here is the eset online scanner logs. Look like my laptop still have infections.

=============================================================================

C:\Documents and Settings\sjchopha\My Documents\Nero 8 Ultra Edition 8.1.1.4+KeyMaker\Nero-8.1.1.4_eng_update.exe Win32/Toolbar.AskSBar application deleted - quarantined

C:\Documents and Settings\sjchopha\My Documents\New Folder\Drivers\Nero 8 Ultra Edition 8.1.1.4+KeyMaker\Nero-8.1.1.4_eng_update.exe Win32/Toolbar.AskSBar application deleted - quarantined

C:\Hoang'USB\HOANG PHAM (E)\DVDFab Platinum 3\DVDFab Platinum v3.1.7.0 by GhostHunter.exe probably a variant of Win32/Agent.JSQCOB trojan deleted - quarantined

C:\Hoang'USB\HOANG PHAM (E)\Huron\autorun.inf INF/Autorun.gen trojan cleaned by deleting - quarantined

C:\Program Files\JDownloader\downloads\nr9_www.softarchive.net\Nero\Nero 9.0.9.4b\Nero 9.0.9.4b.exe Win32/Toolbar.AskSBar application deleted - quarantined

C:\Program Files\JDownloader\downloads\nr9_www.softarchive.net\Nero\Nero Move It 1.0.10.0\Nero Move it 1.0.10.0.exe Win32/Toolbar.AskSBar application deleted - quarantined

C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP377\A0080134.exe probably a variant of Win32/Agent.JSQCOB trojan deleted - quarantined

C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP377\A0080135.inf INF/Autorun.gen trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP377\A0080136.exe Win32/Toolbar.AskSBar application deleted - quarantined

C:\System Volume Information\_restore{8BC79291-E322-403F-8E40-1FBD3FCA0EBD}\RP377\A0080137.exe Win32/Toolbar.AskSBar application deleted - quarantined

Link to post
Share on other sites

Hi, these are mostly leftovers, however a good indication that it might be a good idea to stay clear from cracks, keygens and the like. :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :(

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete GMER (this is a random named file) and OTL.

Please read these advices, in order to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.