Jump to content

No malware detected BUT...


Recommended Posts

Ok I am having an issue with google search from my Firefox toolbar. Clicking on a link takes me to random site. I have run Malwarebytes and received no alerts, I have also run Spybot S&D along with McAfee antivirus with no success of finding anything. Here is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 11:17:16 AM, on 9/23/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\OEM02Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\KADxMain.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exeloncorp.com/ess

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100922151539.dll

O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe

O4 - HKLM\..\Run: [broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe

O4 - HKLM\..\Run: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe

O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe

O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe

O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe

O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--

End of file - 9495 bytes

Any help would be greatly appreciated.

Link to post
Share on other sites

Ok here is the DDS Report:

DDS (Ver_10-03-17.01) - NTFSx86

Run by Brent Toppert at 0:03:22.73 on Fri 09/24/2010

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2429 [GMT -5:00]

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

C:\WINDOWS\system32\mfevtps.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\OEM02Mon.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe

C:\WINDOWS\system32\KADxMain.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Digital Line Detect\DLG.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Brent Toppert\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.exeloncorp.com/ess

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100922151539.dll

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll

TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File

EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe

mRun: [broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [sigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe

mRun: [KADxMain] c:\windows\system32\KADxMain.exe

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon

mRun: [blackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab

Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\brentt~1\applic~1\mozilla\firefox\profiles\dhp8ktlt.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.geocaching.com/my/ | http://www.cordovalocal.com/forum

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\documents and settings\brent toppert\application data\mozilla\firefox\profiles\dhp8ktlt.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll

FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\microsoft\office live\npOLW.dll

FF - plugin: c:\program files\sony\media go\npmediago.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-3-25 386712]

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-9-22 84072]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-22 271480]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-22 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-22 271480]

R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-9-22 271480]

R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-9-22 171168]

R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-9-22 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-9-20 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-9-22 55840]

R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-9-22 152992]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-9-22 312904]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-9-22 88544]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-11-30 135664]

S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-9-22 52104]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-9-22 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-9-22 84264]

=============== Created Last 30 ================

2010-09-24 04:52:15 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-23 15:55:07 0 d-----w- c:\program files\Trend Micro

2010-09-23 11:02:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-23 11:02:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-09-23 11:02:45 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-23 11:02:45 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-22 20:16:31 0 d-----w- c:\program files\SiteAdvisor

2010-09-22 20:15:37 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-09-22 20:15:30 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-09-22 20:15:30 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-09-22 20:15:30 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-09-22 20:15:30 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-09-22 20:15:29 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-09-22 20:15:29 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-09-22 20:15:29 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-09-22 20:15:19 0 d-----w- c:\program files\common files\Mcafee

2010-09-22 20:15:18 0 d-----w- c:\program files\McAfee.com

2010-09-22 20:15:02 0 d-----w- c:\program files\McAfee

2010-09-20 08:43:35 141792 ----a-w- c:\windows\system32\mfevtps.exe

==================== Find3M ====================

2010-08-24 19:57:38 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-08-24 19:57:38 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-08-17 13:17:06 58880 ------w- c:\windows\system32\dllcache\spoolsv.exe

2010-07-27 06:30:35 8462336 ------w- c:\windows\system32\dllcache\shell32.dll

2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 15:49:15 590848 ------w- c:\windows\system32\dllcache\rpcrt4.dll

2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

2010-06-30 12:31:35 149504 ------w- c:\windows\system32\dllcache\schannel.dll

2009-08-11 14:10:49 22528 --sha-w- c:\windows\system32\ridogeku.exe

2009-06-12 03:18:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009060120090608\index.dat

2009-06-12 03:18:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061120090612\index.dat

============= FINISH: 0:04:47.85 ===============

And here is the Rootkit Unhooker Report:

RkU Version: 3.8.388.590, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xB829A000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5709824 bytes (Intel Corporation, Intel Graphics Miniport Driver)

0xBF1D8000 C:\WINDOWS\System32\igxpdx32.DLL 2605056 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)

0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2150400 bytes

0x804D7000 RAW 2150400 bytes

0x804D7000 WMIxWDM 2150400 bytes

0xBF800000 Win32k 1855488 bytes

0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xBF04E000 C:\WINDOWS\System32\igxpdv32.DLL 1613824 bytes (Intel Corporation, Component GHAL Driver)

0xB80E6000 C:\WINDOWS\system32\DRIVERS\bcmwl5.sys 1392640 bytes (Broadcom Corporation, Broadcom 802.11 Network Adapter wireless driver)

0xA4872000 C:\WINDOWS\system32\drivers\sthda.sys 1171456 bytes (SigmaTel, Inc., NDRC)

0xA46EB000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 991232 bytes (Conexant Systems, Inc., HSF_DP driver)

0xB9E73000 iaStor.sys 778240 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)

0xA4638000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 733184 bytes (Conexant Systems, Inc., HSF_CNXT driver)

0xB9D2D000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xA0E87000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB7EBF000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xB9DE4000 mfehidk.sys 380928 bytes (McAfee, Inc., McAfee Link Driver)

0xA0FDF000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xA0C73000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)

0xB806D000 C:\WINDOWS\system32\DRIVERS\rixdptsk.sys 331776 bytes (REDC, RICOH XD SM Driver)

0xB7F45000 C:\WINDOWS\system32\drivers\mfefirek.sys 307200 bytes (McAfee, Inc., McAfee Core Firewall Engine Driver)

0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xA03E1000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xA0F22000 C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys 237568 bytes (Creative Technology Ltd., Video Capture Device Driver)

0xA47DD000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 212992 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)

0xB803B000 C:\WINDOWS\system32\DRIVERS\SynTP.sys 204800 bytes (Synaptics, Inc., Synaptics Touchpad Driver)

0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xA0D6A000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xB9D00000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0x9F830000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)

0xA0EF7000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 172032 bytes (Intel Corporation, Intel Graphics 2D Driver)

0xB823A000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xA0F7E000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)

0xA0FA6000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xB7FB8000 C:\WINDOWS\system32\drivers\mfeavfk.sys 147456 bytes (McAfee, Inc., Anti-Virus File System Filter Driver)

0xA484E000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB8262000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xB8018000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xA4811000 C:\WINDOWS\system32\Drivers\OEM02Afx.sys 143360 bytes (Creative Technology Ltd., Advanced Audio FX Driver)

0xA0F5C000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806E4000 ACPI_HAL 134400 bytes

0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xB9E53000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xA4834000 C:\WINDOWS\system32\drivers\dxec02.sys 106496 bytes (Knowles Acoustics, dxec02.sys)

0xB9CE6000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xB9DCD000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xB7FED000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0x9F6DA000 C:\WINDOWS\system32\drivers\mfeapfk.sys 90112 bytes (McAfee, Inc., Access Protection Filter Driver)

0xA0876000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xB8004000 C:\WINDOWS\system32\DRIVERS\mfendisk.sys 81920 bytes (McAfee, Inc., McAfee NDIS Intermediate Driver)

0xB80BE000 C:\WINDOWS\system32\DRIVERS\rimsptsk.sys 81920 bytes (REDC, RICOH MS Driver)

0xB80D2000 C:\WINDOWS\system32\DRIVERS\sdbus.sys 81920 bytes (Microsoft Corporation, SecureDigital Bus Driver)

0xB8286000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xA1038000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xA0FCC000 C:\WINDOWS\system32\drivers\mfetdi2k.sys 77824 bytes (McAfee, Inc., Anti-Virus Mini-Firewall Driver)

0xB9DBA000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)

0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)

0xB9E41000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xB7FDC000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xBA278000 C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys 65536 bytes (Broadcom Corporation, Broadcom Corporation NDIS 5.1 ethernet driver)

0xA12B8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xBA2C8000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xBA298000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)

0xBA0F8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)

0xA12C8000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)

0xA5957000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xBA2D8000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xA0943000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xB880C000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xBA108000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)

0xBA288000 C:\WINDOWS\system32\DRIVERS\rimmptsk.sys 57344 bytes (REDC, RICOH MMC Driver)

0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xBA2A8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)

0xBA2E8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xA05C0000 C:\WINDOWS\system32\drivers\cfwids.sys 49152 bytes (McAfee, Inc., McAfee Personal Firewall IDS Plugin)

0xBA308000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xA1BE3000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xBA2B8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xBA2F8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xBA138000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xBA128000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xBA258000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xBA318000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xA5947000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0x9FB73000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)

0xA1B63000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xBA408000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)

0xA191A000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xA1912000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xBA3C8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xBA3A8000 C:\WINDOWS\system32\DRIVERS\RimSerial.sys 28672 bytes (Research in Motion Ltd, RIM Virtual Serial Driver)

0xBA460000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)

0xBA3D8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xBA3D0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xBA468000 C:\WINDOWS\System32\Drivers\RimUsb.sys 24576 bytes (Research In Motion Limited, BlackBerry Device Driver)

0xBA3C0000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)

0xA1C67000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xA1C5F000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xBA398000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xBA3A0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xBA438000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xA5449000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xA15A3000 C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS 16384 bytes (Dell Inc, App Support Driver)

0x9FF56000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)

0xBA4C4000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)

0xB9AC2000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)

0xA0CCA000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface x86 Driver)

0xBA580000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xA54B8000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xBA4BC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xBA4C0000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)

0xA54D0000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xA18CE000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)

0xB9AB2000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xA18C6000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xB9ABE000 C:\WINDOWS\system32\DRIVERS\wmiacpi.sys 12288 bytes (Microsoft Corporation, Windows Management Interface for ACPI)

0xBA660000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xBA65C000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xBA632000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xBA61A000 C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys 8192 bytes (EyePower Games Pte. Ltd., Advanced Video FX Filter

Driver (Win2K based))

0xBA616000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xBA5F2000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)

0xBA5F8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xBA5F0000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xBA5A8000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0x8B1BE000 C:\WINDOWS\system32\KDCOM.DLL 7040 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xBA706000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xA5E7D000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xA1C58000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

!!!!!!!!!!!Hidden driver: 0x8B127ABF ?_empty_? 1345 bytes

==============================================

>Stealth

==============================================

0xB9F31000 WARNING: suspicious driver modification [atapi.sys::0x8B127ABF]

0xA04C2730 Unknown thread object [ ETHREAD 0x887C0020 ] , 600 bytes

==============================================

>Files

==============================================

!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9OJJTGDF\true%3Bkvvchoice%3Dtrue%3Bkvvchoiceselect%3Dtrue;loc=100;noperf=1;target=_blank;cc=2;sub1=1404721;sub2=1404723;sub3=140472

0;sub4=1404722;misc=484993695[1]if

!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VTGTA6SH\2Ftrailers.mevio[1].com%252F%253Fp_id%253D1003%2526ch%253D4%2526f1%253D175%2526utm_source%253D019828%2526utm_medium%253D019828%2526utm_campaign%253D019828tm

!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\Y8FO01DU\dref=http%253A%252F%252Fypeek.yellowbook[1].com%252Fyellow-pages%252F%253Fwhat%253Dbeauty+salons%2526where%253DBoston%25252c+MA%2526searchmethod%253Dbrowse0

==============================================

>Hooks

==============================================

ntkrnlpa.exe+0x0006ECBE, Type: Inline - RelativeJump 0x80545CBE-->80545CC5 [ntkrnlpa.exe]

ntkrnlpa.exe-->NtCreateKey, Type: Inline - RelativeJump 0x806237C8-->B9E17094 [mfehidk.sys]

ntkrnlpa.exe-->NtDeleteKey, Type: Inline - RelativeJump 0x80623C64-->B9E170A8 [mfehidk.sys]

ntkrnlpa.exe-->NtDeleteValueKey, Type: Inline - RelativeJump 0x80623E34-->B9E170D4 [mfehidk.sys]

ntkrnlpa.exe-->NtMapViewOfSection, Type: Inline - RelativeJump 0x805B1FE6-->B9E1712A [mfehidk.sys]

ntkrnlpa.exe-->NtOpenKey, Type: Inline - RelativeJump 0x80624BA6-->B9E17080 [mfehidk.sys]

ntkrnlpa.exe-->NtOpenProcess, Type: Inline - RelativeJump 0x805CB3FA-->B9E17058 [mfehidk.sys]

ntkrnlpa.exe-->NtOpenThread, Type: Inline - RelativeJump 0x805CB686-->B9E1706C [mfehidk.sys]

ntkrnlpa.exe-->NtRenameKey, Type: Inline - RelativeJump 0x806231EA-->B9E170BE [mfehidk.sys]

ntkrnlpa.exe-->NtSetSecurityObject, Type: Inline - RelativeJump 0x805C05DA-->B9E17100 [mfehidk.sys]

ntkrnlpa.exe-->NtSetValueKey, Type: Inline - RelativeJump 0x80621D3A-->B9E170EA [mfehidk.sys]

ntkrnlpa.exe-->NtTerminateProcess, Type: Inline - RelativeJump 0x805D2982-->B9E17154 [mfehidk.sys]

ntkrnlpa.exe-->NtUnmapViewOfSection, Type: Inline - RelativeJump 0x805B2DF4-->B9E17140 [mfehidk.sys]

ntkrnlpa.exe-->NtYieldExecution, Type: Inline - RelativeJump 0x80504B08-->B9E17114 [mfehidk.sys]

[104]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[104]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[104]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[104]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[104]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[104]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[104]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[104]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[104]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[104]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[104]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[104]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[104]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[104]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[104]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[104]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[104]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]

[1136]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[1136]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[1136]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[1136]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[1136]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[1136]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[1136]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[1136]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[1136]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[1136]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[1136]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[1136]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[1136]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[1136]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[1136]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[1136]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[1420]services.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[1420]services.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[1420]services.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[1420]services.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[1420]services.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[1420]services.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[1420]services.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[1420]services.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[1420]services.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[1420]services.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[1420]services.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[1420]services.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[1420]services.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[1420]services.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[1420]services.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[1420]services.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[1432]lsass.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[1432]lsass.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[1432]lsass.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[1432]lsass.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[1432]lsass.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[1432]lsass.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[1432]lsass.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[1432]lsass.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[1432]lsass.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[1432]lsass.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[1432]lsass.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[1432]lsass.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[1432]lsass.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[1432]lsass.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[1432]lsass.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[1432]lsass.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[1432]lsass.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]

[1604]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[1604]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[1604]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[1604]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[1604]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[1604]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[1604]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[1604]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[1604]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[1604]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[1604]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[1604]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[1604]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[1604]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[1604]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[1604]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[1604]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]

[1696]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[1696]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[1696]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[1696]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[1696]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[1696]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[1696]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[1696]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[1696]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[1696]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[1696]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[1696]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[1696]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[1696]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[1696]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[1696]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[1696]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]

[1740]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[1740]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[1740]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[1740]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[1740]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[1740]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[1740]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[1740]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[1740]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[1740]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[1740]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[1740]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[1740]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[1740]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[1740]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[1740]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[1740]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[1740]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]

[1740]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[1740]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[1740]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[1740]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[1740]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]

[1796]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[1796]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[1796]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[1796]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[1796]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[1796]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[1796]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[1796]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[1796]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[1796]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[1796]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[1796]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[1796]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[1796]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[1796]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[1796]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[2000]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[2000]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[2000]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[2000]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[2000]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[2000]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[2000]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[2000]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[2000]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[2000]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[2000]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[2000]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[2000]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[2000]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[2000]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[2000]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[2000]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]

[2068]firefox.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[2068]firefox.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[2068]firefox.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[2068]firefox.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[2068]firefox.exe-->ntdll.dll-->LdrLoadDll, Type: Inline - RelativeJump 0x7C9163C3-->00000000 [firefox.exe]

[2068]firefox.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[2068]firefox.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[2536]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]

[2536]explorer.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[2536]explorer.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[2536]explorer.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[2536]explorer.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[2536]explorer.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[2536]explorer.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[2536]explorer.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[2536]explorer.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[2536]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]

[2536]explorer.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]

[2536]explorer.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[2536]explorer.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[2536]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]

[2536]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]

[2536]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]

[2536]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]

[2536]explorer.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[2536]explorer.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[2536]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[2536]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]

[2536]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]

[2536]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]

[2536]explorer.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[2536]explorer.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[2536]explorer.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[2536]explorer.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[2536]explorer.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]

[680]svchost.exe-->advapi32.dll-->RegCreateKeyA, Type: Inline - RelativeJump 0x77DFBCF3-->00000000 [unknown_code_page]

[680]svchost.exe-->advapi32.dll-->RegCreateKeyExA, Type: Inline - RelativeJump 0x77DDE9F4-->00000000 [unknown_code_page]

[680]svchost.exe-->advapi32.dll-->RegCreateKeyExW, Type: Inline - RelativeJump 0x77DD776C-->00000000 [unknown_code_page]

[680]svchost.exe-->advapi32.dll-->RegCreateKeyW, Type: Inline - RelativeJump 0x77DFBA55-->00000000 [unknown_code_page]

[680]svchost.exe-->advapi32.dll-->RegOpenKeyA, Type: Inline - RelativeJump 0x77DDEFC8-->00000000 [unknown_code_page]

[680]svchost.exe-->advapi32.dll-->RegOpenKeyExA, Type: Inline - RelativeJump 0x77DD7852-->00000000 [unknown_code_page]

[680]svchost.exe-->advapi32.dll-->RegOpenKeyExW, Type: Inline - RelativeJump 0x77DD6AAF-->00000000 [unknown_code_page]

[680]svchost.exe-->advapi32.dll-->RegOpenKeyW, Type: Inline - RelativeJump 0x77DD7946-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->CreateFileA, Type: Inline - RelativeJump 0x7C801A28-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->CreateFileW, Type: Inline - RelativeJump 0x7C810800-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->CreateNamedPipeA, Type: Inline - RelativeJump 0x7C860CDC-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->CreateNamedPipeW, Type: Inline - RelativeJump 0x7C82F0DD-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->CreatePipe, Type: Inline - RelativeJump 0x7C81D83F-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->CreateProcessA, Type: Inline - RelativeJump 0x7C80236B-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->CreateProcessW, Type: Inline - RelativeJump 0x7C802336-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->GetProcAddress, Type: Inline - RelativeJump 0x7C80AE40-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->GetStartupInfoA, Type: Inline - RelativeJump 0x7C801EF2-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->GetStartupInfoW, Type: Inline - RelativeJump 0x7C801E54-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->LoadLibraryExA, Type: Inline - RelativeJump 0x7C801D53-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->LoadLibraryExW, Type: Inline - RelativeJump 0x7C801AF5-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->VirtualProtect, Type: Inline - RelativeJump 0x7C801AD4-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->VirtualProtectEx, Type: Inline - RelativeJump 0x7C801A61-->00000000 [unknown_code_page]

[680]svchost.exe-->kernel32.dll-->WinExec, Type: Inline - RelativeJump 0x7C86250D-->00000000 [unknown_code_page]

[680]svchost.exe-->ntdll.dll-->NtCreateFile, Type: Inline - RelativeJump 0x7C90D0AE-->00000000 [unknown_code_page]

[680]svchost.exe-->ntdll.dll-->NtCreateProcess, Type: Inline - RelativeJump 0x7C90D14E-->00000000 [unknown_code_page]

[680]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]

[680]svchost.exe-->wininet.dll-->InternetOpenA, Type: Inline - RelativeJump 0x3D95D690-->00000000 [unknown_code_page]

[680]svchost.exe-->wininet.dll-->InternetOpenUrlA, Type: Inline - RelativeJump 0x3D95F3A4-->00000000 [unknown_code_page]

[680]svchost.exe-->wininet.dll-->InternetOpenUrlW, Type: Inline - RelativeJump 0x3D9A6DDF-->00000000 [unknown_code_page]

[680]svchost.exe-->wininet.dll-->InternetOpenW, Type: Inline - RelativeJump 0x3D95DB09-->00000000 [unknown_code_page]

[680]svchost.exe-->ws2_32.dll-->socket, Type: Inline - RelativeJump 0x71AB4211-->00000000 [unknown_code_page]

[708]plugin-container.exe-->user32.dll-->TrackPopupMenu, Type: Inline - RelativeJump 0x7E46531E-->00000000 [xul.dll]

[900]McSvHost.exe-->kernel32.dll-->LoadLibraryA, Type: Inline - RelativeJump 0x7C801D7B-->00000000 [McProxy.dll]

[900]McSvHost.exe-->kernel32.dll-->LoadLibraryW, Type: Inline - RelativeJump 0x7C80AEEB-->00000000 [McProxy.dll]

Thank you very much for taking the time to help with my issue(s)

Attach.txt

Link to post
Share on other sites

Havoc_1980:

icon11.gif Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now
  • Once complete, a log will be produced at root. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

icon11.gif Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :Files
    c:\windows\system32\ridogeku.exe
    :Reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "472734EA-242A-422B-ADF8-83D1E48CC825"=-
    [-HKEY_CLASSES_ROOT\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}]
    :Commands
    [EmptyFlash]
    [EmptyTemp]


  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please include the following in your next post:

  • TDSSKiller log
  • OTM log

Link to post
Share on other sites

Ok here is the OTM log:

All processes killed

========== FILES ==========

c:\windows\system32\ridogeku.exe moved successfully.

========== REGISTRY ==========

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\472734EA-242A-422B-ADF8-83D1E48CC825 not

found.

Registry key HKEY_CLASSES_ROOT\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}\ not found.

========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

->FireFox cache emptied: 3417833 bytes

User: All Users

User: Brent Toppert

->Temp folder emptied: 11919651 bytes

->Temporary Internet Files folder emptied: 18411186 bytes

->Java cache emptied: 643105 bytes

->FireFox cache emptied: 48552066 bytes

->Google Chrome cache emptied: 819568 bytes

->Flash cache emptied: 1167 bytes

User: Default User

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService

->Temp folder emptied: 66016 bytes

->Temporary Internet Files folder emptied: 360794 bytes

->Flash cache emptied: 10412 bytes

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 852370 bytes

->Flash cache emptied: 7338 bytes

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 19569 bytes

%systemroot%\System32 .tmp files removed: 1162769 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 428943 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 56435262 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 3565957 bytes

RecycleBin emptied: 1193882 bytes

Total Files Cleaned = 141.00 mb

OTM by OldTimer - Version 3.1.16.1 log created on 09242010_110846

Files moved on Reboot...

Registry entries deleted on Reboot...

TDSSKiller.txt

Link to post
Share on other sites

Havoc_1980:

Please do this next:

icon11.gif You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

icon11.gif Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases

    [*]Click on My Computer under the green Scan bar to the left to start the scan.

    [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

    [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.

    [*]Click View report... at the bottom.

    [*] Click the Save report... button.

    [*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

Please include the following in your next post:

  • MBAM log
  • Kaspersky log
  • How is the computer running now?

Link to post
Share on other sites

MBAM report:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4686

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/24/2010 11:48:58 AM

mbam-log-2010-09-24 (11-48-58).txt

Scan type: Quick scan

Objects scanned: 147622

Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Kaspersky Report:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, September 24, 2010

Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Friday, September 24, 2010 12:15:52

Records in database: 4234843

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Objects scanned: 62829

Threats found: 1

Infected objects found: 1

Suspicious objects found: 0

Scan duration: 01:08:35

File name / Threat / Threats count

C:\_OTM\MovedFiles\09242010_110846\c_windows\system32\ridogeku.exe Infected: Trojan.Win32.FraudPack.zux 1

Selected area has been scanned.

Feedback on computer:

After running MBAM I received a Generic Host Process for Win32 Services error.

I clicked on details and am including them for you to view.

szAppName: svchost.exe szAppVer: 5.1.2600.5512

szModName: Flash10e.ocx szModVer: 10.0.45.2 offset: 000e6e00

Tech information about the error report:

C:\DOCUME~1\BRENTT~1\LOCALS~1\Temp\WER8a21.dir00\svchost.exe

C:\DOCUME~1\BRENTT~1\LOCALS~1\Temp\WER8a21.dir00\appcompat.exe

After running Kaspersky I did a couple of google searches from my Firefox toolbar and clicked on the google links provided and all seems well. All of the links took me to the correct sites, not random sites as before.

Link to post
Share on other sites

Havoc_1980:

Your logs look good. I have some important cleanup for you to do, then I want to make sure that error was a one time occurrence:

icon11.gif Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version.

icon11.gif Cleanup with OTM

  • Double-click OTM.exe to start the program.
  • Close all other programs apart from OTM as this step will require a reboot
  • On the OTM main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.
  • Manually delete any remaining tools or logs from our work

Once you have finished these steps, reboot and try another MBAM Quick Scan. Let me know if you get that error again.

Link to post
Share on other sites

MBAM Report:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4686

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

9/24/2010 3:33:56 PM

mbam-log-2010-09-24 (15-33-56).txt

Scan type: Quick scan

Objects scanned: 151804

Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I did not get the error after this recent run of MBAM, unfortunately I am getting redirects from Firefox google toolbar search results again.

Link to post
Share on other sites

Havoc_1980:

OK, time for a bigger hammer then:

icon11.gif Please download MBRCheck.exe to your desktop.

  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

icon11.gif Download ComboFix from one of the following locations:

Link 1

Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link

  • Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

  • Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please include the following in your next post:

  • MBRCheck log
  • ComboFix log

Link to post
Share on other sites

MBRCheck log:

MBRCheck, version 1.2.3

© 2010, AD

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x0000000c

Kernel Drivers (total 135):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E4000 \WINDOWS\system32\hal.dll

0x8B0F4000 \WINDOWS\system32\KDCOM.DLL

0xBA4BC000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA4C0000 compbatt.sys

0xBA4C4000 \WINDOWS\system32\DRIVERS\BATTC.SYS

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA0B8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA330000 PartMgr.sys

0xBA0C8000 VolSnap.sys

0xB9F31000 atapi.sys

0xB9E73000 iaStor.sys

0xBA0D8000 disk.sys

0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9E53000 fltmgr.sys

0xB9E41000 sr.sys

0xB9DE4000 mfehidk.sys

0xB9DCD000 KSecDD.sys

0xB9DBA000 WudfPf.sys

0xB9D2D000 Ntfs.sys

0xB9D00000 NDIS.sys

0xBA0F8000 ohci1394.sys

0xBA108000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xB9CE6000 Mup.sys

0xBA298000 \SystemRoot\system32\DRIVERS\nic1394.sys

0xBA248000 \SystemRoot\system32\DRIVERS\intelppm.sys

0xB8233000 \SystemRoot\system32\DRIVERS\igxpmp32.sys

0xB821F000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xBA3C0000 \SystemRoot\system32\DRIVERS\usbuhci.sys

0xB81FB000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA3C8000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB81D3000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xB807F000 \SystemRoot\system32\DRIVERS\bcmwl5.sys

0xBA258000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys

0xB806B000 \SystemRoot\system32\DRIVERS\sdbus.sys

0xBA268000 \SystemRoot\system32\DRIVERS\rimmptsk.sys

0xB8057000 \SystemRoot\system32\DRIVERS\rimsptsk.sys

0xB8006000 \SystemRoot\system32\DRIVERS\rixdptsk.sys

0xBA278000 \SystemRoot\system32\DRIVERS\i8042prt.sys

0xB7FD4000 \SystemRoot\system32\DRIVERS\SynTP.sys

0xBA5E6000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xBA3D0000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xBA3D8000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xBA288000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA2A8000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA2B8000 \SystemRoot\system32\DRIVERS\redbook.sys

0xB7FB1000 \SystemRoot\system32\DRIVERS\ks.sys

0xB9C9E000 \SystemRoot\system32\DRIVERS\CmBatt.sys

0xB9AC2000 \SystemRoot\system32\DRIVERS\wmiacpi.sys

0xBA6F5000 \SystemRoot\system32\DRIVERS\audstub.sys

0xB7F9D000 \SystemRoot\system32\DRIVERS\mfendisk.sys

0xBA5EA000 \SystemRoot\System32\Drivers\RootMdm.sys

0xBA408000 \SystemRoot\System32\Drivers\Modem.SYS

0xBA2C8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xB9AB6000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB7F86000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA2D8000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA2E8000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xBA438000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB7F75000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA2F8000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xB7F51000 \SystemRoot\system32\drivers\mfeavfk.sys

0xB7EDE000 \SystemRoot\system32\drivers\mfefirek.sys

0xBA398000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xBA3A0000 \SystemRoot\system32\DRIVERS\raspti.sys

0xBA3A8000 \SystemRoot\system32\DRIVERS\RimSerial.sys

0xBA308000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA5F0000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB7E58000 \SystemRoot\system32\DRIVERS\update.sys

0xBA57C000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA318000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xB87C5000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xA485A000 \SystemRoot\system32\drivers\sthda.sys

0xA4836000 \SystemRoot\system32\drivers\portcls.sys

0xA554C000 \SystemRoot\system32\drivers\drmk.sys

0xA481C000 \SystemRoot\system32\drivers\dxec02.sys

0xA47F9000 \??\C:\WINDOWS\system32\Drivers\OEM02Afx.sys

0xA47C5000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys

0xA46D3000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys

0xA4620000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys

0xA18B2000 \SystemRoot\System32\Drivers\i2omgmt.SYS

0xBA642000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xA1B1F000 \SystemRoot\System32\Drivers\Null.SYS

0xBA624000 \SystemRoot\System32\Drivers\Beep.SYS

0xA1C4F000 \SystemRoot\System32\drivers\vga.sys

0xBA638000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA63C000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xA1C47000 \SystemRoot\System32\Drivers\Msfs.SYS

0xA1902000 \SystemRoot\System32\Drivers\Npfs.SYS

0xA18AE000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xA1020000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xA0FC7000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xA0FB4000 \SystemRoot\system32\drivers\mfetdi2k.sys

0xA0F8E000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xA0F66000 \SystemRoot\system32\DRIVERS\netbt.sys

0xA0F44000 \SystemRoot\System32\drivers\afd.sys

0xA5900000 \SystemRoot\system32\DRIVERS\netbios.sys

0xA0F19000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xA0EA9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xA58E0000 \SystemRoot\System32\Drivers\Fips.SYS

0xA1892000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS

0xA18D2000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xA0E6F000 \SystemRoot\system32\DRIVERS\OEM02Dev.sys

0xBA604000 \SystemRoot\system32\DRIVERS\OEM02Vfx.sys

0xA1BBB000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xA1BAB000 \SystemRoot\system32\DRIVERS\arp1394.sys

0xA1B9B000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xA721F000 \SystemRoot\System32\drivers\Dxapi.sys

0xA1309000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xA1057000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF024000 \SystemRoot\System32\igxpgd32.dll

0xBF012000 \SystemRoot\System32\igxprd32.dll

0xBF04E000 \SystemRoot\System32\igxpdv32.DLL

0xBF1D8000 \SystemRoot\System32\igxpdx32.DLL

0xA0E27000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA0D52000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xA0C5B000 \SystemRoot\system32\DRIVERS\srv.sys

0xBFFA0000 \SystemRoot\System32\ATMFD.DLL

0xA0CFA000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys

0xA0903000 \SystemRoot\system32\drivers\cfwids.sys

0xA0632000 \SystemRoot\system32\drivers\wdmaud.sys

0xBA148000 \SystemRoot\system32\drivers\sysaudio.sys

0xA014D000 \SystemRoot\System32\Drivers\HTTP.sys

0x9FA73000 \SystemRoot\system32\drivers\mfeapfk.sys

0x9FA48000 \SystemRoot\system32\drivers\kmixer.sys

0x9FA24000 \SystemRoot\System32\Drivers\Fastfat.SYS

0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 47):

0 System Idle Process

4 System

700 C:\WINDOWS\system32\smss.exe

1348 csrss.exe

1372 C:\WINDOWS\system32\winlogon.exe

1424 C:\WINDOWS\system32\services.exe

1436 C:\WINDOWS\system32\lsass.exe

1616 C:\WINDOWS\system32\svchost.exe

1708 svchost.exe

1784 C:\WINDOWS\system32\svchost.exe

1832 C:\WINDOWS\system32\svchost.exe

2008 svchost.exe

148 svchost.exe

508 C:\WINDOWS\system32\WLTRYSVC.EXE

524 C:\WINDOWS\system32\BCMWLTRY.EXE

556 C:\WINDOWS\system32\spoolsv.exe

688 svchost.exe

756 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

768 C:\Program Files\Bonjour\mDNSResponder.exe

1028 C:\Program Files\Java\jre6\bin\jqs.exe

1076 C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe

1096 C:\Program Files\Google\Update\GoogleUpdate.exe

1132 C:\WINDOWS\system32\mfevtps.exe

1828 C:\WINDOWS\system32\svchost.exe

248 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

1288 C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe

1628 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE

1324 C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe

2376 alg.exe

2916 C:\WINDOWS\explorer.exe

2976 C:\WINDOWS\system32\rundll32.exe

1036 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

3084 C:\WINDOWS\system32\hkcmd.exe

3100 C:\WINDOWS\system32\igfxpers.exe

3404 C:\WINDOWS\OEM02Mon.exe

3420 C:\WINDOWS\system32\WLTRAY.EXE

3448 C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe

3464 C:\WINDOWS\system32\KADxMain.exe

3472 C:\WINDOWS\system32\igfxsrvc.exe

3572 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

3704 C:\Program Files\Common Files\Research in Motion\Auto Update\RIMAutoUpdate.exe

404 C:\Program Files\McAfee.com\Agent\mcagent.exe

2080 C:\WINDOWS\system32\svchost.exe

1428 C:\WINDOWS\system32\ctfmon.exe

1168 C:\Program Files\Digital Line Detect\DLG.exe

3824 C:\WINDOWS\system32\wscntfy.exe

3284 C:\Documents and Settings\Brent Toppert\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK2555GSX, Rev: FG000D

Size Device Name MBR Status

--------------------------------------------

232 GB \\.\PhysicalDrive0 Dell MBR code detected

SHA1: 57BDF501CE769EF2720C705B6C71C893DA31574E

Done!

ComboFix log:

ComboFix 10-09-24.03 - Brent Toppert 09/24/2010 16:30:03.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2542 [GMT -5:00]

Running from: c:\documents and settings\Brent Toppert\Desktop\ComboFix.exe

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Brent Toppert\Application Data\EurekaLog

c:\documents and settings\Brent Toppert\Application Data\EurekaLog\EurekaLog.ini

c:\windows\system32\wininit.dll

.

((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))

.

2010-09-24 04:52 . 2010-09-24 04:52 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-23 15:55 . 2010-09-23 15:55 388096 ----a-r- c:\documents and settings\Brent Toppert\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-09-23 15:55 . 2010-09-23 15:55 -------- d-----w- c:\program files\Trend Micro

2010-09-23 11:02 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-23 11:02 . 2010-09-23 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-23 11:02 . 2010-09-23 11:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-23 11:02 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-22 20:16 . 2010-09-22 20:16 -------- d-----w- c:\program files\SiteAdvisor

2010-09-22 20:15 . 2010-08-24 19:57 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-09-22 20:15 . 2010-08-24 19:57 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-09-22 20:15 . 2010-08-24 19:57 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-09-22 20:15 . 2010-08-24 19:57 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-09-22 20:15 . 2010-08-24 19:57 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-09-22 20:15 . 2010-08-24 19:57 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-09-22 20:15 . 2010-08-24 19:57 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-09-22 20:15 . 2010-08-24 19:57 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-09-22 20:15 . 2010-09-22 20:16 -------- d-----w- c:\program files\Common Files\Mcafee

2010-09-22 20:15 . 2010-09-22 20:15 -------- d-----w- c:\program files\McAfee.com

2010-09-22 20:15 . 2010-09-23 00:14 -------- d-----w- c:\program files\McAfee

2010-09-22 19:40 . 2010-09-22 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-09-20 08:43 . 2010-08-24 19:57 141792 ----a-w- c:\windows\system32\mfevtps.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-24 20:19 . 2009-07-10 19:13 -------- d-----w- c:\program files\Common Files\Adobe

2010-09-24 04:53 . 2009-06-03 22:39 -------- d-----w- c:\program files\Common Files\Java

2010-09-24 04:51 . 2009-06-03 22:39 -------- d-----w- c:\program files\Java

2010-09-23 16:52 . 2009-11-23 17:57 -------- d-----w- c:\program files\pup7

2010-09-22 20:17 . 2009-06-03 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-09-20 06:52 . 2009-11-10 05:11 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-09-20 06:52 . 2009-11-12 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-09-20 06:51 . 2009-11-30 09:25 -------- d-----w- c:\documents and settings\Brent Toppert\Application Data\Move Networks

2010-09-16 13:29 . 2009-08-18 15:48 243 ----a-w- c:\documents and settings\Brent Toppert\Application Data\gsak\babel.bat

2010-09-16 13:29 . 2009-08-18 15:26 -------- d-----w- c:\documents and settings\Brent Toppert\Application Data\gsak

2010-09-16 13:29 . 2009-06-03 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-09-16 13:22 . 2009-08-18 15:26 -------- d-----w- c:\program files\gsak

2010-09-05 05:11 . 2009-07-11 02:52 -------- d-----w- c:\program files\Microsoft Silverlight

2010-08-24 19:57 . 2010-08-24 19:57 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-08-24 19:57 . 2009-03-25 16:06 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-08-17 13:17 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-25 07:59 . 2010-07-25 07:59 10134 ----a-r- c:\documents and settings\Brent Toppert\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe

2010-07-22 15:49 . 2004-08-10 17:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-06-04 04:55 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-06-30 12:31 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\schannel.dll

2010-08-24 19:57 . 2010-09-22 20:15 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll

[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\System32\eventlog.dll ... is missing !!

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-16 2289664]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-31 405504]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-3 50688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\KADxMain.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDSVCM.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [9/22/2010 3:15 PM 84072]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/22/2010 3:15 PM 271480]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/22/2010 3:15 PM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/22/2010 3:15 PM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [9/22/2010 3:15 PM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/20/2010 3:43 AM 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [9/22/2010 3:15 PM 55840]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [9/22/2010 3:15 PM 312904]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [9/22/2010 3:15 PM 88544]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/30/2009 9:43 AM 135664]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [9/22/2010 3:15 PM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/22/2010 3:15 PM 84264]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2009-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb0da660a74be0.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 14:43]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.exeloncorp.com/ess

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Brent Toppert\Application Data\Mozilla\Firefox\Profiles\dhp8ktlt.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.geocaching.com/my/ | http://www.cordovalocal.com/forum

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\documents and settings\Brent Toppert\Application Data\Mozilla\Firefox\Profiles\dhp8ktlt.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll

FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll

FF - plugin: c:\program files\Sony\Media Go\npmediago.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-24 16:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B12AC76]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f37852

\Driver\iaStor -> iaStor.sys @ 0xb9e7cc1a

IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Dell Wireless 1395 WLAN Mini-Card -> SendCompleteHandler -> NDIS.sys @ 0xb9d15bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d04a0d

SendHandler -> NDIS.sys @ 0xb9d18b40

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,b5,ce,01,c8,00,f4,4d,a6,0f,ec,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,b5,ce,01,c8,00,f4,4d,a6,0f,ec,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1376)

c:\windows\system32\WININET.dll

c:\windows\System32\BCMLogon.dll

c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(1436)

c:\windows\system32\WININET.dll

.

Completion time: 2010-09-24 16:43:11

ComboFix-quarantined-files.txt 2010-09-24 21:43

Pre-Run: 210,427,064,320 bytes free

Post-Run: 210,622,713,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D92D78ECB6D66D158CE42CB697440760

Link to post
Share on other sites

Havoc_1980:

icon11.gif Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop

  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected
  • Then click Continue > Reboot now
  • Once complete, a log will be produced at root. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Attach that log, please.

icon11.gif Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above FCopy::

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | c:\windows\System32\eventlog.dll

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Please include the following in your next post:

  • TDSSKiller log
  • ComboFix log

Link to post
Share on other sites

TDSSKiller log:

2010/09/24 17:36:32.0109 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44

2010/09/24 17:36:32.0109 ================================================================================

2010/09/24 17:36:32.0109 SystemInfo:

2010/09/24 17:36:32.0109

2010/09/24 17:36:32.0109 OS Version: 5.1.2600 ServicePack: 3.0

2010/09/24 17:36:32.0109 Product type: Workstation

2010/09/24 17:36:32.0109 ComputerName: TOPPS_POS

2010/09/24 17:36:32.0109 UserName: Brent Toppert

2010/09/24 17:36:32.0109 Windows directory: C:\WINDOWS

2010/09/24 17:36:32.0109 System windows directory: C:\WINDOWS

2010/09/24 17:36:32.0109 Processor architecture: Intel x86

2010/09/24 17:36:32.0109 Number of processors: 2

2010/09/24 17:36:32.0109 Page size: 0x1000

2010/09/24 17:36:32.0109 Boot type: Normal boot

2010/09/24 17:36:32.0109 ================================================================================

2010/09/24 17:36:32.0281 Initialize success

2010/09/24 17:36:40.0953 ================================================================================

2010/09/24 17:36:40.0953 Scan started

2010/09/24 17:36:40.0953 Mode: Manual;

2010/09/24 17:36:40.0953 ================================================================================

2010/09/24 17:36:41.0468 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

2010/09/24 17:36:41.0656 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

2010/09/24 17:36:41.0796 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

2010/09/24 17:36:41.0953 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

2010/09/24 17:36:42.0062 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

2010/09/24 17:36:42.0250 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys

2010/09/24 17:36:42.0312 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

2010/09/24 17:36:42.0515 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

2010/09/24 17:36:42.0671 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

2010/09/24 17:36:42.0750 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

2010/09/24 17:36:42.0843 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

2010/09/24 17:36:43.0015 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

2010/09/24 17:36:43.0187 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

2010/09/24 17:36:43.0203 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

2010/09/24 17:36:43.0250 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

2010/09/24 17:36:43.0437 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS

2010/09/24 17:36:43.0593 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

2010/09/24 17:36:43.0765 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

2010/09/24 17:36:43.0921 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

2010/09/24 17:36:44.0093 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

2010/09/24 17:36:44.0265 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

2010/09/24 17:36:44.0328 atapi (4e140567a2a4884f2060f56c29df63b4) C:\WINDOWS\system32\DRIVERS\atapi.sys

2010/09/24 17:36:44.0515 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

2010/09/24 17:36:44.0671 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

2010/09/24 17:36:44.0906 BCM43XX (37f385a93c620cbe0f89c17e45f697a1) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys

2010/09/24 17:36:45.0093 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys

2010/09/24 17:36:45.0265 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

2010/09/24 17:36:45.0515 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

2010/09/24 17:36:45.0546 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

2010/09/24 17:36:45.0687 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

2010/09/24 17:36:45.0859 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

2010/09/24 17:36:46.0000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

2010/09/24 17:36:46.0171 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

2010/09/24 17:36:46.0250 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

2010/09/24 17:36:46.0406 cfwids (426ee59b25988bb3382fc0a3655deaa2) C:\WINDOWS\system32\drivers\cfwids.sys

2010/09/24 17:36:46.0609 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys

2010/09/24 17:36:46.0781 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

2010/09/24 17:36:46.0937 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys

2010/09/24 17:36:47.0000 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

2010/09/24 17:36:47.0140 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

2010/09/24 17:36:47.0171 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

2010/09/24 17:36:47.0343 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

2010/09/24 17:36:47.0546 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

2010/09/24 17:36:47.0718 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

2010/09/24 17:36:47.0859 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

2010/09/24 17:36:48.0031 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

2010/09/24 17:36:48.0203 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

2010/09/24 17:36:48.0234 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

2010/09/24 17:36:48.0406 DXEC02 (0c8762b91b967a91373e0e022b62acfc) C:\WINDOWS\system32\drivers\dxec02.sys

2010/09/24 17:36:48.0593 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

2010/09/24 17:36:48.0781 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

2010/09/24 17:36:48.0953 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

2010/09/24 17:36:49.0046 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

2010/09/24 17:36:49.0156 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

2010/09/24 17:36:49.0265 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

2010/09/24 17:36:49.0390 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

2010/09/24 17:36:49.0609 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

2010/09/24 17:36:49.0765 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

2010/09/24 17:36:49.0812 grmnusb (6003bc70f1a8307262bd3c941bda0b7e) C:\WINDOWS\system32\drivers\grmnusb.sys

2010/09/24 17:36:50.0000 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

2010/09/24 17:36:50.0187 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

2010/09/24 17:36:50.0234 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys

2010/09/24 17:36:50.0437 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys

2010/09/24 17:36:50.0625 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

2010/09/24 17:36:50.0796 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

2010/09/24 17:36:50.0859 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

2010/09/24 17:36:51.0046 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

2010/09/24 17:36:51.0390 ialm (200cca76cd0e0f7eec78fa56c29b4d67) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys

2010/09/24 17:36:51.0656 iaStor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\drivers\iaStor.sys

2010/09/24 17:36:51.0812 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

2010/09/24 17:36:51.0953 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

2010/09/24 17:36:52.0093 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

2010/09/24 17:36:52.0171 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

2010/09/24 17:36:52.0312 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

2010/09/24 17:36:52.0484 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

2010/09/24 17:36:52.0640 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

2010/09/24 17:36:52.0812 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

2010/09/24 17:36:53.0000 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

2010/09/24 17:36:53.0156 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

2010/09/24 17:36:53.0234 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

2010/09/24 17:36:53.0406 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

2010/09/24 17:36:53.0593 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

2010/09/24 17:36:53.0765 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

2010/09/24 17:36:54.0015 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

2010/09/24 17:36:54.0171 mfeapfk (5bd0c401a8ee4a54f6176c0a10d595ae) C:\WINDOWS\system32\drivers\mfeapfk.sys

2010/09/24 17:36:54.0234 mfeavfk (f3bb4dc61b4dc662bdc778cf1634fae1) C:\WINDOWS\system32\drivers\mfeavfk.sys

2010/09/24 17:36:54.0421 mfebopk (b1498db38d129ed31650422fc8bab9c5) C:\WINDOWS\system32\drivers\mfebopk.sys

2010/09/24 17:36:54.0578 mfefirek (51e9ccea45c78858a229afb6e682cf41) C:\WINDOWS\system32\drivers\mfefirek.sys

2010/09/24 17:36:54.0765 mfehidk (32f7298664874715ce469a79078853c4) C:\WINDOWS\system32\drivers\mfehidk.sys

2010/09/24 17:36:54.0937 mfendisk (9d346b15bb3f4aa323784e2774b4e580) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

2010/09/24 17:36:54.0953 mfendiskmp (9d346b15bb3f4aa323784e2774b4e580) C:\WINDOWS\system32\DRIVERS\mfendisk.sys

2010/09/24 17:36:55.0109 mferkdet (858337b64484cd80eee7d2eba5ac61bc) C:\WINDOWS\system32\drivers\mferkdet.sys

2010/09/24 17:36:55.0265 mfetdi2k (3363aca7b66bd6b37d0f5c148dc9d34b) C:\WINDOWS\system32\drivers\mfetdi2k.sys

2010/09/24 17:36:55.0328 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

2010/09/24 17:36:55.0500 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

2010/09/24 17:36:55.0687 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

2010/09/24 17:36:55.0859 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

2010/09/24 17:36:56.0015 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

2010/09/24 17:36:56.0187 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

2010/09/24 17:36:56.0265 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

2010/09/24 17:36:56.0468 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

2010/09/24 17:36:56.0625 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

2010/09/24 17:36:56.0781 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

2010/09/24 17:36:56.0828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

2010/09/24 17:36:57.0015 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

2010/09/24 17:36:57.0125 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

2010/09/24 17:36:57.0437 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys

2010/09/24 17:36:57.0609 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

2010/09/24 17:36:57.0828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

2010/09/24 17:36:57.0984 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

2010/09/24 17:36:58.0140 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

2010/09/24 17:36:58.0171 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

2010/09/24 17:36:58.0328 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

2010/09/24 17:36:58.0484 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys

2010/09/24 17:36:58.0656 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

2010/09/24 17:36:58.0859 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

2010/09/24 17:36:59.0062 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

2010/09/24 17:36:59.0250 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

2010/09/24 17:36:59.0312 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

2010/09/24 17:36:59.0468 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

2010/09/24 17:36:59.0562 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

2010/09/24 17:36:59.0781 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

2010/09/24 17:36:59.0921 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

2010/09/24 17:37:00.0093 OEM02Afx (58f478fd0115012ceec75fb73628901c) C:\WINDOWS\system32\Drivers\OEM02Afx.sys

2010/09/24 17:37:00.0281 OEM02Dev (9d20fa5d8875f6063aa5e1c44446f698) C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys

2010/09/24 17:37:00.0453 OEM02Vfx (86326062a90494bdd79ce383511d7d69) C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys

2010/09/24 17:37:00.0625 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

2010/09/24 17:37:00.0828 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

2010/09/24 17:37:00.0984 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

2010/09/24 17:37:01.0140 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

2010/09/24 17:37:01.0203 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

2010/09/24 17:37:01.0375 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

2010/09/24 17:37:01.0546 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

2010/09/24 17:37:01.0781 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

2010/09/24 17:37:01.0906 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

2010/09/24 17:37:02.0093 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

2010/09/24 17:37:02.0125 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

2010/09/24 17:37:02.0140 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

2010/09/24 17:37:02.0187 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

2010/09/24 17:37:02.0328 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

2010/09/24 17:37:02.0484 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

2010/09/24 17:37:02.0656 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

2010/09/24 17:37:02.0843 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

2010/09/24 17:37:03.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

2010/09/24 17:37:03.0156 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

2010/09/24 17:37:03.0187 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

2010/09/24 17:37:03.0218 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

2010/09/24 17:37:03.0406 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

2010/09/24 17:37:03.0562 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

2010/09/24 17:37:03.0734 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

2010/09/24 17:37:03.0921 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys

2010/09/24 17:37:04.0125 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

2010/09/24 17:37:04.0218 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys

2010/09/24 17:37:04.0343 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys

2010/09/24 17:37:04.0484 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys

2010/09/24 17:37:04.0531 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys

2010/09/24 17:37:04.0640 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys

2010/09/24 17:37:04.0687 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys

2010/09/24 17:37:04.0906 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys

2010/09/24 17:37:05.0078 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

2010/09/24 17:37:05.0265 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

2010/09/24 17:37:05.0343 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

2010/09/24 17:37:05.0515 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys

2010/09/24 17:37:05.0671 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys

2010/09/24 17:37:05.0828 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

2010/09/24 17:37:06.0000 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

2010/09/24 17:37:06.0171 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

2010/09/24 17:37:06.0218 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

2010/09/24 17:37:06.0359 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

2010/09/24 17:37:06.0546 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

2010/09/24 17:37:06.0718 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys

2010/09/24 17:37:06.0968 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys

2010/09/24 17:37:07.0156 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

2010/09/24 17:37:07.0187 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

2010/09/24 17:37:07.0359 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

2010/09/24 17:37:07.0531 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

2010/09/24 17:37:07.0687 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

2010/09/24 17:37:07.0843 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

2010/09/24 17:37:08.0015 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

2010/09/24 17:37:08.0187 SynTP (936cd58395d36659bb798b961ef7357f) C:\WINDOWS\system32\DRIVERS\SynTP.sys

2010/09/24 17:37:08.0234 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

2010/09/24 17:37:08.0453 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

2010/09/24 17:37:08.0625 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

2010/09/24 17:37:08.0781 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

2010/09/24 17:37:08.0968 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

2010/09/24 17:37:09.0140 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

2010/09/24 17:37:09.0203 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

2010/09/24 17:37:09.0359 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

2010/09/24 17:37:09.0515 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

2010/09/24 17:37:09.0718 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

2010/09/24 17:37:09.0875 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

2010/09/24 17:37:10.0062 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

2010/09/24 17:37:10.0218 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

2010/09/24 17:37:10.0265 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

2010/09/24 17:37:10.0437 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

2010/09/24 17:37:10.0546 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys

2010/09/24 17:37:10.0687 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

2010/09/24 17:37:10.0859 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

2010/09/24 17:37:11.0015 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

2010/09/24 17:37:11.0187 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

2010/09/24 17:37:11.0281 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

2010/09/24 17:37:11.0468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

2010/09/24 17:37:11.0656 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys

2010/09/24 17:37:11.0890 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys

2010/09/24 17:37:12.0078 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys

2010/09/24 17:37:12.0171 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

2010/09/24 17:37:12.0312 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

2010/09/24 17:37:12.0421 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

2010/09/24 17:37:12.0500 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)

2010/09/24 17:37:12.0500 ================================================================================

2010/09/24 17:37:12.0500 Scan finished

2010/09/24 17:37:12.0500 ================================================================================

2010/09/24 17:37:12.0531 Detected object count: 1

2010/09/24 17:38:21.0031 \HardDisk0\MBR - will be cured after reboot

2010/09/24 17:38:21.0031 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure

2010/09/24 17:38:27.0875 Deinitialize success

ComboFix Log:

ComboFix 10-09-24.03 - Brent Toppert 09/24/2010 18:17:29.4.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3062.2546 [GMT -5:00]

Running from: c:\documents and settings\Brent Toppert\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Brent Toppert\Desktop\CFScript.txt

AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FW: McAfee Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\System32\eventlog.dll

.

((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))

.

2010-09-24 23:17 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll

2010-09-24 23:17 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\dllcache\eventlog.dll

2010-09-24 04:52 . 2010-09-24 04:52 423656 ----a-w- c:\windows\system32\deployJava1.dll

2010-09-23 15:55 . 2010-09-23 15:55 388096 ----a-r- c:\documents and settings\Brent Toppert\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2010-09-23 15:55 . 2010-09-23 15:55 -------- d-----w- c:\program files\Trend Micro

2010-09-23 11:02 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-09-23 11:02 . 2010-09-23 11:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-09-23 11:02 . 2010-09-23 11:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-09-23 11:02 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-09-22 20:16 . 2010-09-22 20:16 -------- d-----w- c:\program files\SiteAdvisor

2010-09-22 20:15 . 2010-08-24 19:57 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys

2010-09-22 20:15 . 2010-08-24 19:57 88544 ----a-w- c:\windows\system32\drivers\mfendisk.sys

2010-09-22 20:15 . 2010-08-24 19:57 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys

2010-09-22 20:15 . 2010-08-24 19:57 84072 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys

2010-09-22 20:15 . 2010-08-24 19:57 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys

2010-09-22 20:15 . 2010-08-24 19:57 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys

2010-09-22 20:15 . 2010-08-24 19:57 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys

2010-09-22 20:15 . 2010-08-24 19:57 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys

2010-09-22 20:15 . 2010-09-22 20:16 -------- d-----w- c:\program files\Common Files\Mcafee

2010-09-22 20:15 . 2010-09-22 20:15 -------- d-----w- c:\program files\McAfee.com

2010-09-22 20:15 . 2010-09-23 00:14 -------- d-----w- c:\program files\McAfee

2010-09-22 19:40 . 2010-09-22 19:40 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-09-20 08:43 . 2010-08-24 19:57 141792 ----a-w- c:\windows\system32\mfevtps.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-09-24 20:19 . 2009-07-10 19:13 -------- d-----w- c:\program files\Common Files\Adobe

2010-09-24 04:53 . 2009-06-03 22:39 -------- d-----w- c:\program files\Common Files\Java

2010-09-24 04:51 . 2009-06-03 22:39 -------- d-----w- c:\program files\Java

2010-09-23 16:52 . 2009-11-23 17:57 -------- d-----w- c:\program files\pup7

2010-09-22 20:17 . 2009-06-03 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee

2010-09-20 06:52 . 2009-11-10 05:11 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-09-20 06:52 . 2009-11-12 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-09-20 06:51 . 2009-11-30 09:25 -------- d-----w- c:\documents and settings\Brent Toppert\Application Data\Move Networks

2010-09-16 13:29 . 2009-08-18 15:48 243 ----a-w- c:\documents and settings\Brent Toppert\Application Data\gsak\babel.bat

2010-09-16 13:29 . 2009-08-18 15:26 -------- d-----w- c:\documents and settings\Brent Toppert\Application Data\gsak

2010-09-16 13:29 . 2009-06-03 22:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2010-09-16 13:22 . 2009-08-18 15:26 -------- d-----w- c:\program files\gsak

2010-09-05 05:11 . 2009-07-11 02:52 -------- d-----w- c:\program files\Microsoft Silverlight

2010-08-24 19:57 . 2010-08-24 19:57 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys

2010-08-24 19:57 . 2009-03-25 16:06 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys

2010-08-17 13:17 . 2004-08-10 17:51 58880 ----a-w- c:\windows\system32\spoolsv.exe

2010-07-25 07:59 . 2010-07-25 07:59 10134 ----a-r- c:\documents and settings\Brent Toppert\Application Data\Microsoft\Installer\{0E532C84-4275-41B3-9D81-D4A1A20D8EE7}\ARPPRODUCTICON.exe

2010-07-22 15:49 . 2004-08-10 17:51 590848 ----a-w- c:\windows\system32\rpcrt4.dll

2010-07-22 05:57 . 2009-06-04 04:55 5120 ----a-w- c:\windows\system32\xpsp4res.dll

2010-06-30 12:31 . 2004-08-10 17:51 149504 ----a-w- c:\windows\system32\schannel.dll

2010-08-24 19:57 . 2010-09-22 20:15 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-09-24_21.39.28 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-09-24 23:14 . 2010-09-24 23:14 16384 c:\windows\Temp\Perflib_Perfdata_2f8.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-10 851968]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-10 137752]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-10 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-10 137752]

"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]

"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-16 2289664]

"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2008-03-31 405504]

"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-11-20 623960]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2009-6-3 50688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\KADxMain.exe"=

"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\Windows Live\\WLIDSVCM.EXE"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [9/22/2010 3:15 PM 84072]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/22/2010 3:15 PM 271480]

R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/22/2010 3:15 PM 271480]

R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [9/22/2010 3:15 PM 271480]

R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [9/22/2010 3:15 PM 188136]

R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [9/20/2010 3:43 AM 141792]

R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [9/22/2010 3:15 PM 55840]

R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [9/22/2010 3:15 PM 312904]

R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [9/22/2010 3:15 PM 88544]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/30/2009 9:43 AM 135664]

S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [9/22/2010 3:15 PM 88544]

S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [9/22/2010 3:15 PM 84264]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

.

Contents of the 'Scheduled Tasks' folder

2009-12-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cb0da660a74be0.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-11-30 14:43]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.exeloncorp.com/ess

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyOverride = *.local

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Brent Toppert\Application Data\Mozilla\Firefox\Profiles\dhp8ktlt.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.geocaching.com/my/ | http://www.cordovalocal.com/forum

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=

FF - component: c:\documents and settings\Brent Toppert\Application Data\Mozilla\Firefox\Profiles\dhp8ktlt.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-09-24 18:25

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8B125C76]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba0ecf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f37852

\Driver\iaStor -> iaStor.sys @ 0xb9e7cc1a

IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Dell Wireless 1395 WLAN Mini-Card -> SendCompleteHandler -> NDIS.sys @ 0xb9d15bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d04a0d

SendHandler -> NDIS.sys @ 0xb9d18b40

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,b5,ce,01,c8,00,f4,4d,a6,0f,ec,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,23,b5,ce,01,c8,00,f4,4d,a6,0f,ec,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1372)

c:\windows\system32\WININET.dll

c:\windows\System32\BCMLogon.dll

c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\MFC80.DLL

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

- - - - - - - > 'lsass.exe'(1432)

c:\windows\system32\WININET.dll

.

Completion time: 2010-09-24 18:29:39

ComboFix-quarantined-files.txt 2010-09-24 23:29

Pre-Run: 210,626,883,584 bytes free

Post-Run: 210,610,847,744 bytes free

- - End Of File - - F887CE1ED155DE85DA0C9DE407D39D24

Link to post
Share on other sites

Havoc_1980:

Your PC is infected with a rootkit, one that is attached to the Master Boot Record (MBR) of your hard disk. We usually have a good amount of success when it comes to fixing the MBR but the MBR is a delicate area and there is a possibility of data loss and/or have complete PC failure if the disinfection process does not work. Please back up any important data before proceeding.

icon11.gif Earlier on ComboFix installed the Recovery Console. We're going to use that now. Please print and read the instructions and ask any questions you have before you start:

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"

(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)

RC_BootMenu.gif

RConsole_A.png

When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter

It will then prompt you for the Administrator's password. If there is no password, simply press enter. Otherwise type in the password and then press enter.

RConsole_Fixmbr.png

Next type FIXMBR

RConsole_FixmbrB.png

If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

icon11.gif Press Start > Run or Windows Key + R then copy and paste the following command into the run box that opens and press "Enter"

cmd /c mbr -t>"%userprofile%\Desktop\mbr.txt"

That will place a file called MBR.txt on your desktop. Please copy and paste the contents of that file into your next post.

Please include the following in your next post:

  • mbr.txt contents

Link to post
Share on other sites

Havoc_1980:

OK, let's try to get to the Recovery Console with your disk:

icon11.gif We need to fix your MBR:

  1. Restart your computer with the Windows XP Setup disk in the CDROMdrive.
  2. If you are prompted to press a key to start the computer from CDROM, do so quickly. Otherwise it may try to boot from the hard drive.
  3. After a few minutes, you'll see a prompt to press the R key to start the Recovery Console.
  4. When Recovery Console starts, it will prompt you to enter a number corresponding to the Windows XP installation that you need to repair. In most cases, you'll enter "1" (which will be the only choice). ( If you press ENTER without typing a number, Recovery Console will quit and restart your computer.)
  5. Enter your Administrator password. If you don't enter the correct password, you cannot continue. (If you did not set a password, just hit enter)
  6. At the Recovery Console command prompt, type fixmbr and then verify that you want to proceed.
  7. when complete, type EXIT and reboot normally.

Your damaged MBR will be replaced with a new one, and you should then be able to boot your system normally. In some cases, you may need to repair the boot sector in addition to the MBR. If your system still doesn't boot properly, repeat the steps above, but issue the fixboot command instead.

icon11.gif Press Start > Run or Windows Key + R then copy and paste the following command into the run box that opens and press "Enter"

cmd /c mbr -t>"%userprofile%\Desktop\mbr.txt"

That will place a file called MBR.txt on your desktop. Please copy and paste the contents of that file into your next post.

Please include the following in your next post:

  • mbr.txt contents

Link to post
Share on other sites

Havoc_1980:

Excellent! Now I have some additional cleanup for you to take care of:

icon11.gif Uninstall ComboFix

  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall

Combofix_uninstall_image.jpg

icon11.gif Delete the following tools along with any other logs you saved from our work:

  • TDSSKiller
  • MBRCheck

Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.