Solved Infected again

llsshopping · 2010/09/22

[Resolved] Infected again

It appears I have been infected again. We have experienced multiple instances of IE when trying to close instances of IE. I realize IE 6 is old, but I do not have a desire to upgrade and use Firefox for all browsing, except where IE is required. Below are the requested logs plus logs from the Kaspersky website along with Malwarebytes' that I ran to determine there was an issue.

Thank you in advance for your help.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Admin at 20:36:26.25 on Wed 09/22/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.708 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
D:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\WINDOWS\system32\Ati2evxx.exe
D:\Program Files\Click'N Design 3D\CDLS.exe
D:\PROGRA~1\QUICKT~1\QuickTimePlayer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Mozilla Firefox\plugin-container.exe
D:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\Documents and Settings\Admin\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - d:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10i_Plugin.exe -update plugin
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [QuickTime Task] "d:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - d:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - d:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - d:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: intuit.com\ttlc
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://69.3.198.64:100/RemoteWeb.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://69.3.198.64:100/VideoViewer.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {DB31DA00-4F6F-4CC7-8627-C5A142E1FC7C} - hxxp://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - hxxp://trueswitch.com/TrueInstall.exe
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admin\applic~1\mozilla\firefox\profiles\6nmyrlwn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: d:\program files\adobe\reader 9.0\reader\browser\nppdf32.dll
FF - plugin: d:\program files\google\picasa3\npPicasa3.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\mozilla firefox\plugins\NPcol308.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\program files\quicktime\plugins\npqtplugin5.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - d:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
d:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
d:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
d:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
d:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
d:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
d:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
d:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
d:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
d:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
d:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
d:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
d:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-5-14 214664]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-11-8 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-11-8 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-11-8 144704]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\opencase\opencase media agent\MediaAgent.exe [2008-8-29 835208]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-11-8 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-11-8 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-11-8 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-11-8 34248]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-11-8 40552]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2009-1-2 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2009-1-2 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2009-1-2 60816]

=============== Created Last 30 ================

==================== Find3M ====================

2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll

============= FINISH: 20:37:20.99 ===============

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, September 21, 2010 23:07:59
Records in database: 4235977
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Y:\
Z:\

Scan statistics:
Objects scanned: 301193
Threats found: 7
Infected objects found: 18
Suspicious objects found: 0
Scan duration: 14:46:35

File name / Threat / Threats count
C:\Documents and Settings\Lance\Local Settings\Temporary Internet Files\Content.IE5\KZEFQ34H\uzOKX20fndU[2].js Infected: Trojan.JS.Agent.bra 1
C:\Documents and Settings\Lisa\Local Settings\temp\jar_cache1441277996796990338.tmp Infected: Exploit.Java.Agent.cx 1
C:\Documents and Settings\Lisa\Local Settings\temp\jar_cache2519771576336990530.tmp Infected: Exploit.Java.Agent.cw 1
C:\Documents and Settings\Lisa\Local Settings\temp\jar_cache2519771576336990530.tmp Infected: Exploit.Java.Agent.cu 1
C:\Documents and Settings\Lisa\Local Settings\temp\jar_cache2519771576336990530.tmp Infected: Exploit.Java.Agent.cv 1
C:\Documents and Settings\Lisa\Local Settings\temp\jar_cache8735472186894249828.tmp Infected: Exploit.Java.Agent.cx 1
C:\Documents and Settings\Lisa\Local Settings\temp\jar_cache9114673324489576496.tmp Infected: Exploit.Java.Agent.cw 1
C:\Documents and Settings\Lisa\Local Settings\temp\jar_cache9114673324489576496.tmp Infected: Exploit.Java.Agent.cu 1
C:\Documents and Settings\Lisa\Local Settings\temp\jar_cache9114673324489576496.tmp Infected: Exploit.Java.Agent.cv 1
C:\Documents and Settings\Lisa\Local Settings\temp\plugtmp\plugin-mgvfo.pdf Infected: Exploit.JS.Pdfka.cus 2
C:\Documents and Settings\Lisa\Local Settings\temp\Temporary Internet Files\Content.IE5\WLA70X2N\ZV_vz-B2HaA[2].js Infected: Trojan.JS.Agent.bra 1
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\1Z3ZQRP7\uzOKX20fndU[2].js Infected: Trojan.JS.Agent.bra 1
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\7QJPTXNJ\EfiniaLdnAQ[2].js Infected: Trojan.JS.Agent.bra 1
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\XXKJPH7L\ZV_vz-B2HaA[2].js Infected: Trojan.JS.Agent.bra 1
C:\Documents and Settings\Lisa\Local Settings\Temporary Internet Files\Content.IE5\YX07Q1QD\S02Li1X0504[2].js Infected: Trojan.JS.Agent.bra 1

Selected area has been scanned.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4653

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

9/19/2010 11:10:40 PM
mbam-log-2010-09-19 (23-10-40).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 401821
Time elapsed: 2 hour(s), 33 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfuymohu (Rogue.AntivirusSuite.Gen) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

broni · 2010/09/22

No matter, if you use IE, or not, you have to upgrade it to, at least, version 7.
Version 6 is an ancient and dangerous browser.
It'll be no discussion in that matter, or I refuse to help.
I mean, you'll upgrade now.

Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
Alternative downloads:
- http://majorgeeks.com/GMER_d5198.html
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
Do NOT use the computer while GMER is running!
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

=============================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

Admin. · 2010/09/22

Need Attach.txt log, you posted DDS double.

llsshopping · 2010/09/22

Sorry for the double post.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume4
Install Date: 6/25/2008 5:36:33 PM
System Uptime: 9/3/2010 8:01:29 PM (456 hours ago)

Motherboard: ASUSTeK Computer Inc. | | P4P800SE
Processor: Intel(R) Pentium(R) 4 CPU 2.40GHz | CPU 1 | 2399/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 34 GiB total, 14.064 GiB free.
D: is FIXED (NTFS) - 37 GiB total, 2.712 GiB free.
E: is FIXED (NTFS) - 149 GiB total, 3.864 GiB free.
F: is FIXED (FAT32) - 373 GiB total, 223.17 GiB free.
G: is Removable
H: is FIXED (NTFS) - 596 GiB total, 549.085 GiB free.
Y: is CDROM ()
Z: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID:
Description: USB Media Adapter
Device ID: USB\VID_07B4&PID_010A\5&3AD090D&0&1
Manufacturer:
Name: USB Media Adapter
PNP Device ID: USB\VID_07B4&PID_010A\5&3AD090D&0&1
Service:

Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C7200 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C7200 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:

==== System Restore Points ===================

RP95: 9/4/2010 9:16:30 AM - System Checkpoint
RP96: 9/5/2010 9:42:49 AM - System Checkpoint
RP97: 9/6/2010 10:59:33 AM - System Checkpoint
RP98: 9/7/2010 7:54:17 PM - System Checkpoint
RP99: 9/9/2010 6:07:05 AM - System Checkpoint
RP100: 9/10/2010 6:42:43 AM - System Checkpoint
RP101: 9/11/2010 7:43:12 AM - System Checkpoint
RP102: 9/12/2010 10:38:15 AM - System Checkpoint
RP103: 9/14/2010 7:15:52 PM - System Checkpoint
RP104: 9/15/2010 7:42:39 PM - System Checkpoint
RP105: 9/16/2010 9:06:31 PM - System Checkpoint
RP106: 9/18/2010 9:49:33 AM - System Checkpoint
RP107: 9/20/2010 12:05:57 AM - System Checkpoint
RP108: 9/21/2010 3:29:44 PM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0.1 Standard
Adobe Acrobat and Reader 6.0.3 Update
Adobe Acrobat and Reader 6.0.4 Update
Adobe Acrobat and Reader 6.0.5 Update
Adobe Acrobat and Reader 6.0.6 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.3.4
Adobe Stock Photos 1.0
AIO_Scan
AnswerWorks 5.0 English Runtime
Apple Software Update
ArcSoft MediaImpression
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
BitPim 1.0.6
BufferChm
C7200
C7200_Help
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help English
CCleaner
CloneDVD2
Compatibility Pack for the 2007 Office system
Coupon Printer for Windows
Critical Update for Windows Media Player 11 (KB959772)
CustomerResearchQFolder
DeviceManagementQFolder
DocProc
DocProcQFolder
eSupportQFolder
Fax
ffdshow [rev 2693] [2009-02-16]
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Photosmart All-In-One Driver Software 10.0 Rel .2
HP Smart Web Printing
HP Update
Java Auto Updater
Java(TM) 6 Update 18
LGUsbDriver
Logitech Harmony Remote Software 7
Malwarebytes' Anti-Malware
McAfee SecurityCenter
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.2
Microsoft IntelliType Pro 6.2
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MotionDV STUDIO 5.6E LE for DV
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NAVIGON Fresh 1.4.9
Nero 6 Ultra Edition
NetDeviceManager
OCR Software by I.R.I.S. 10.0
OLYMPUS Raw Codec
OpenCASE Media Agent
ORFshell v0.99 beta 8
Picasa 3
PS_AIO_02_ProductContext
PS_AIO_02_Software
PS_AIO_02_Software_Min
PureVoice
QuickTime
RAW Thumbnail Viewer
Scan
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
SharpKeys
Skins
SmartWebPrintingOC
Sony Sound Forge 7.0
SoundMAX
Spelling Dictionaries Support For Adobe Reader 8
Toolbox
TrueSwitch Wizard
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wnjiper
TurboTax 2008 wrapper
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wnjiper
TurboTax 2009 wrapper
Tweak UI
UnloadSupport
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Verizon Online Help and Support
Verizon Servicepoint 1.5.12
WebFldrs XP
WebReg
Windows Driver Package - OLYMPUS IMAGING CORP. (OlyUsbCam) OlyUsbCam (12/28/2006 1.0.0.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

9/19/2010 7:28:28 PM, error: ati2mtag [45062] - CRT invalid display type

==== End Of File ===========================

broni · 2010/09/22

Go on....

llsshopping · 2010/09/23

Here you go:

GMER Pt. 1

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-23 05:57:17
Windows 5.1.2600 Service Pack 3
Running: v1fr64un.exe; Driver: C:\DOCUME~1\Admin\LOCALS~1\Temp\fwtyqpob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9CAF78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA9CAF821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9CAF738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA9CAF74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9CAF835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9CAF861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA9CAF8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA9CAF8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9CAF7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA9CAF8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA9CAF80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA9CAF710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA9CAF724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9CAF79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA9CAF937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA9CAF8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA9CAF88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9CAF84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA9CAF923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA9CAF90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA9CAF776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA9CAF762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA9CAF877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9CAF7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA9CAF8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9CAF7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9CAF7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP A9CAF7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP A9CAF811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F9 7 Bytes JMP A9CAF891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CF98 5 Bytes JMP A9CAF78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DDD9 5 Bytes JMP A9CAF766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80570833 5 Bytes JMP A9CAF825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570C4A 7 Bytes JMP A9CAF93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570F41 7 Bytes JMP A9CAF8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP A9CAF714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571E96 7 Bytes JMP A9CAF7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572A6E 7 Bytes JMP A9CAF87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP A9CAF7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP A9CAF7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP A9CAF750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP A9CAF7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80589A67 7 Bytes JMP A9CAF8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP A9CAF728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058EA94 5 Bytes JMP A9CAF8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP A9CAF865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP A9CAF839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B14AC 5 Bytes JMP A9CAF73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062E057 5 Bytes JMP A9CAF77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DD32 7 Bytes JMP A9CAF8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E66B 7 Bytes JMP A9CAF8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP A9CAF84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064EFDD 5 Bytes JMP A9CAF913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F446 5 Bytes JMP A9CAF927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xBA332000, 0x198FE0, 0xE8000020]

llsshopping · 2010/09/23

GMER Pt. 2

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010E0FEF
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010E0F61
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010E0F72
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010E0F83
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010E0F9E
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010E0040
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010E0F35
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010E0F46
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010E00C4
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010E00B3
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010E0F10
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010E0FB9
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010E0FCA
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010E0071
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateNamedPipeW 7C82F0DD 3 Bytes JMP 010E0025
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateNamedPipeW + 4 7C82F0E1 1 Byte [84]
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\services.exe[776] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010E0098
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF005B
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF004A
.text C:\WINDOWS\system32\services.exe[776] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0038
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0FB7
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE000C
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0027
.text C:\WINDOWS\system32\services.exe[776] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\services.exe[776] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC0F69
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0054
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0043
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0F86
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0FA8
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0F4E
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC008A
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC00D3
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC00C2
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC00EE
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0F97
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0FDE
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0079
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0014
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FC3
.text C:\WINDOWS\system32\lsass.exe[788] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC00A7
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0FC0
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0F54
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0011
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0FDB
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0F6F
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EB0F94
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0B, 89]
.text C:\WINDOWS\system32\lsass.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0FA5
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA0FAD
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0FBE
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA001D
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA002E
.text C:\WINDOWS\system32\lsass.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0000
.text C:\WINDOWS\system32\lsass.exe[788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80089
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F94
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B8006E
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80FAF
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B8002C
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B800D5
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F83
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B800F7
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F68
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B80108
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80051
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FDB
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B800A4
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FCA
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B800E6
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70FCA
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70F6F
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B7001B
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70F8A
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B7000A
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00B70FA5
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [D7, 88]
.text C:\WINDOWS\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70036
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B6005A
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B6003F
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B6001D
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B6002E
.text C:\WINDOWS\system32\svchost.exe[964] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60FE3
.text C:\WINDOWS\system32\svchost.exe[964] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B6008A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B60F8B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60FA8
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B6005B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B60FB9
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B60F5D
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B600A5
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B60F42
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B600D1
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B600F6
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60040
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B60F7A
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B60FDE
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B6002F
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B600B6
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B50011
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B50F6F
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B50FCA
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B50FDB
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B50F80
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B5002C
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B50FA5
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B40FBE
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B40FD9
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B4002E
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B40000
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40049
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B4001D
.text C:\WINDOWS\system32\svchost.exe[1064] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04F70FE5
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04F7008B
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04F7007A
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 04F70069
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04F70058
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04F70036
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 04F70F74
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 04F70F85
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04F70117
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04F700FC
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04F70F59
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04F70047
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 04F7000A
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 04F700B0
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04F70025
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 04F70FD4
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04F700E1
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 04F60011
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 04F60F9B
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04F60FC0
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 04F60FE5
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04F60058
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04F60000
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 04F60047
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04F6002C
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04F50053
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!system 77C293C7 5 Bytes JMP 04F50042
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04F50FD2
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04F50000
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04F50027
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04F50FE3
.text C:\WINDOWS\System32\svchost.exe[1192] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04F40FEF
.text C:\WINDOWS\System32\svchost.exe[1192] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 04F30000
.text C:\WINDOWS\System32\svchost.exe[1192] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 04F30011
.text C:\WINDOWS\System32\svchost.exe[1192] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 04F30FDB
.text C:\WINDOWS\System32\svchost.exe[1192] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 04F3002C
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F92
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0087
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B006C
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B005B
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F66
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B00AE
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00F5
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00DA
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F41
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0040
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F77
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0014
.text C:\WINDOWS\system32\wuauclt.exe[1308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00C9
.text C:\WINDOWS\system32\wuauclt.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0027
.text C:\WINDOWS\system32\wuauclt.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0F9C
.text C:\WINDOWS\system32\wuauclt.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FB7
.text C:\WINDOWS\system32\wuauclt.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\system32\wuauclt.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A000C
.text C:\WINDOWS\system32\wuauclt.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\system32\wuauclt.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0014
.text C:\WINDOWS\system32\wuauclt.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F7C
.text C:\WINDOWS\system32\wuauclt.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FCD
.text C:\WINDOWS\system32\wuauclt.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0F97
.text C:\WINDOWS\system32\wuauclt.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[1308] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\system32\wuauclt.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B002F
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008C000A
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008C0098
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008C007D
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008C006C
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008C005B
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008C0036
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008C00C4
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008C0F72
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008C00FA
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008C0F61
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008C0F46
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008C0FB9
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008C0FE5
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008C00A9
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008C0FCA
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008C001B
.text C:\WINDOWS\system32\svchost.exe[1328] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008C00DF
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008B0FCD
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008B0FA8
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008B0FDE
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008B0065
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 008B004A
.text C:\WINDOWS\system32\svchost.exe[1328] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008B0039
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008A0047
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!system 77C293C7 5 Bytes JMP 008A0FBC
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008A0018
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008A0FCD
.text C:\WINDOWS\system32\svchost.exe[1328] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008A0FDE
.text C:\WINDOWS\system32\svchost.exe[1328] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00890000
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DF0F54
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DF0F6F
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DF0047
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DF0F94
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DF0022
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DF0F43
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DF007F
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DF0F0D
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DF00A6
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DF0EF2
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DF0FA5
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DF0011
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DF0064
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DF0FB6
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DF0FD1
.text C:\WINDOWS\system32\svchost.exe[1348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DF0F32
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DE0FDE
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DE0080
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DE0025
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DE0014
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DE006F
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DE0054
.text C:\WINDOWS\system32\svchost.exe[1348] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DE0FCD
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DD003D
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DD002C
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DD000A
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DD0FE3
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DD001B
.text C:\WINDOWS\system32\svchost.exe[1348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DD0FC6
.text C:\WINDOWS\system32\svchost.exe[1348] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DC0FEF
.text C:\WINDOWS\system32\svchost.exe[1348] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00F9000A
.text C:\WINDOWS\system32\svchost.exe[1348] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00F90FEF
.text C:\WINDOWS\system32\svchost.exe[1348] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00F9002F
.text C:\WINDOWS\system32\svchost.exe[1348] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00F9004A

llsshopping · 2010/09/23

GMER Pt. 3

OWS\Explorer.EXE[1460] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF000A
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF0F8A
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF007F
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF0064
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0FA5
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF003D
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00C1
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00A4
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF00F7
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F54
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF0F43
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FB6
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF001B
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F79
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0FDB
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF002C
.text C:\WINDOWS\Explorer.EXE[1460] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF00DC
.text C:\WINDOWS\Explorer.EXE[1460] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FE002F
.text C:\WINDOWS\Explorer.EXE[1460] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FE0F79
.text C:\WINDOWS\Explorer.EXE[1460] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\Explorer.EXE[1460] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\Explorer.EXE[1460] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FE0040
.text C:\WINDOWS\Explorer.EXE[1460] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FE000A
.text C:\WINDOWS\Explorer.EXE[1460] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FE0FA8
.text C:\WINDOWS\Explorer.EXE[1460] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 89]
.text C:\WINDOWS\Explorer.EXE[1460] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FE0FB9
.text C:\WINDOWS\Explorer.EXE[1460] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FD0049
.text C:\WINDOWS\Explorer.EXE[1460] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FD0FC8
.text C:\WINDOWS\Explorer.EXE[1460] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FD001D
.text C:\WINDOWS\Explorer.EXE[1460] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FD0FEF
.text C:\WINDOWS\Explorer.EXE[1460] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FD0038
.text C:\WINDOWS\Explorer.EXE[1460] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FD0000
.text C:\WINDOWS\Explorer.EXE[1460] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\Explorer.EXE[1460] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FC0014
.text C:\WINDOWS\Explorer.EXE[1460] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FC0FDE
.text C:\WINDOWS\Explorer.EXE[1460] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FC0FC3
.text C:\WINDOWS\Explorer.EXE[1460] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01940FEF
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90040
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B9002F
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F55
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90F7C
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FB2
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90062
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90051
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B90ED3
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B90EEE
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90EC2
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90F97
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F26
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90EFF
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930022
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00930F9B
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930011
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930058
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0093003D
.text C:\WINDOWS\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FB6
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920033
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920022
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FCD
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FBC
.text C:\WINDOWS\system32\svchost.exe[1700] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FDE
.text C:\WINDOWS\system32\svchost.exe[1700] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1700] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1700] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FDE
.text C:\WINDOWS\system32\svchost.exe[1700] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00900039
.text C:\WINDOWS\system32\svchost.exe[1700] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B0006E
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B0005D
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B0004C
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00F83
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00025
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00F32
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B00F43
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B000C1
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B000B0
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00F17
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00F9E
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B00FDE
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00F5E
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B00014
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00FC3
.text C:\WINDOWS\system32\svchost.exe[1796] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B0009F
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF0FAF
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0F4A
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF0FC0
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0011
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AF0F6F
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CF, 88]
.text C:\WINDOWS\system32\svchost.exe[1796] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0F8A
.text C:\WINDOWS\system32\svchost.exe[1796] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AE0FC8
.text C:\WINDOWS\system32\svchost.exe[1796] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AE0053
.text C:\WINDOWS\system32\svchost.exe[1796] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AE0027
.text C:\WINDOWS\system32\svchost.exe[1796] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AE000C
.text C:\WINDOWS\system32\svchost.exe[1796] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AE0038
.text C:\WINDOWS\system32\svchost.exe[1796] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01BB0FEF
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01BB009B
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01BB008A
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01BB0FA6
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01BB006F
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01BB004A
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01BB0F78
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01BB0F95
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01BB00FD
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01BB00E2
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01BB010E
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01BB0FC3
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01BB000A
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01BB00C0
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01BB0FD4
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01BB002F
.text C:\WINDOWS\system32\svchost.exe[1812] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01BB00D1
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01BA0FA8
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01BA0F7C
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01BA0FB9
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01BA0FCA
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01BA0F8D
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01BA002F
.text C:\WINDOWS\system32\svchost.exe[1812] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01BA0014
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01B90FCA
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!system 77C293C7 5 Bytes JMP 01B90055
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01B90029
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01B90FEF
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01B90044
.text C:\WINDOWS\system32\svchost.exe[1812] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01B9000C
.text C:\WINDOWS\system32\svchost.exe[1812] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01B80FE5
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01B70000
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01B70011
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01B70FDB
.text C:\WINDOWS\system32\svchost.exe[1812] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01B70036
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30000
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F3007D
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30F92
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30FA3
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30FC0
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30FDB
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F300B0
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F3009F
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F300ED
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F300DC
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F30108
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30058
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F3001B
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F3008E
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30047
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F30036
.text C:\WINDOWS\System32\svchost.exe[1860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F300C1
.text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20025
.text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20F79
.text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F2000A
.text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20040
.text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F20F9E
.text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [12, 89]
.text C:\WINDOWS\System32\svchost.exe[1860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20FB9
.text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10FAD
.text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10FC8
.text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F1001D
.text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10038
.text C:\WINDOWS\System32\svchost.exe[1860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F1000C
.text C:\WINDOWS\System32\svchost.exe[1860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00000
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C009A
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0FA5
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C007D
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C0FCA
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C00C6
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C0F7E
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C00F5
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C0F5C
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006C0F4B
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006C006C
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006C001B
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006C00B5
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006C0051
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006C0040
.text C:\WINDOWS\System32\svchost.exe[2408] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006C0F6D
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006B001B
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006B0F91
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006B0FCA
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006B000A
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006B004E
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyW 77DFBA55 3 Bytes JMP 006B003D
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA59 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 3 Bytes JMP 006B002C
.text C:\WINDOWS\System32\svchost.exe[2408] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCF7 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[2408] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006A0FB5
.text C:\WINDOWS\System32\svchost.exe[2408] msvcrt.dll!system 77C293C7 5 Bytes JMP 006A0040
.text C:\WINDOWS\System32\svchost.exe[2408] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006A0FC6
.text C:\WINDOWS\System32\svchost.exe[2408] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006A0FE3
.text C:\WINDOWS\System32\svchost.exe[2408] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006A0025
.text C:\WINDOWS\System32\svchost.exe[2408] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006A0000
.text C:\WINDOWS\System32\svchost.exe[2408] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006C0079
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006C0054
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006C0043
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006C0F86
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006C0FA8
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006C0F44
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006C0F5F
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006C00D3
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006C00C2
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006C0F1F
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006C0F97
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006C008A
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006C0014
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006C0FC3
.text C:\WINDOWS\System32\svchost.exe[2620] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006C00B1
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006B0FD4
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006B0054
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006B0025
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006B000A
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006B0F97
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006B0FA8
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyW + 4 77DFBA59 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 3 Bytes JMP 006B0FC3
.text C:\WINDOWS\System32\svchost.exe[2620] ADVAPI32.dll!RegCreateKeyA + 4 77DFBCF7 1 Byte [88]
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006A0033
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!system 77C293C7 5 Bytes JMP 006A0FA8
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006A0018
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006A0FC3
.text C:\WINDOWS\System32\svchost.exe[2620] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006A0FDE
.text C:\WINDOWS\System32\svchost.exe[2620] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00690FEF
.text D:\Program Files\Mozilla Firefox\firefox.exe[2720] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 D:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B40FE5
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B40F6B
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B40F7C
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B40F97
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B40FA8
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B40040
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B40F3D
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B40F5A
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B40EEC
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B40F11
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B40EDB
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B40FB9
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B40FD4
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B4007B
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B40025
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\svchost.exe[2812] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B40F2C
.text C:\WINDOWS\system32\svchost.exe[2812] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B30FD4
.text C:\WINDOWS\system32\svchost.exe[2812] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B30FB2
.text C:\WINDOWS\system32\svchost.exe[2812] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B30FE5
.text C:\WINDOWS\system32\svchost.exe[2812] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B3001B
.text C:\WINDOWS\system32\svchost.exe[2812] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B3006F
.text C:\WINDOWS\system32\svchost.exe[2812] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[2812] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B3004A
.text C:\WINDOWS\system32\svchost.exe[2812] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B30FC3
.text C:\WINDOWS\system32\svchost.exe[2812] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B20F90
.text C:\WINDOWS\system32\svchost.exe[2812] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B20FAB
.text C:\WINDOWS\system32\svchost.exe[2812] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B20FC6
.text C:\WINDOWS\system32\svchost.exe[2812] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B20FEF
.text C:\WINDOWS\system32\svchost.exe[2812] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B20025
.text C:\WINDOWS\system32\svchost.exe[2812] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B20000
.text D:\Program Files\Mozilla Firefox\plugin-container.exe[4020] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 1040098F D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

llsshopping · 2010/09/23

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x030000fd

Kernel Drivers (total 143):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7607000 ohci1394.sys
0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7A4F000 PCIIde.sys
0xF7707000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7627000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798D000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7637000 VolSnap.sys
0xF749A000 atapi.sys
0xF7647000 disk.sys
0xF7657000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltmgr.sys
0xF7468000 sr.sys
0xF7667000 PxHelp20.sys
0xF7870000 KSecDD.sys
0xF7B52000 Ntfs.sys
0xF7843000 NDIS.sys
0xF7829000 Mup.sys
0xF7677000 agp440.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xBA331000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xBA31D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF773F000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xBA2F9000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7747000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA2B2000 \SystemRoot\system32\DRIVERS\yk51x86.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF791B000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7767000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA29E000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7777000 \SystemRoot\system32\drivers\Afc.sys
0xF7A74000 \SystemRoot\System32\Drivers\ElbyDelay.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7587000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA1DB000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA14D000 \SystemRoot\system32\drivers\smwdm.sys
0xBA129000 \SystemRoot\system32\drivers\portcls.sys
0xF7577000 \SystemRoot\system32\drivers\drmk.sys
0xBA111000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7A83000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7567000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF793B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xBA0FA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7557000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7547000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77AF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA0C1000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7537000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77BF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xBA091000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF7527000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF799B000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA033000 \SystemRoot\system32\DRIVERS\update.sys
0xBA7EC000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7517000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7458000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79A1000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF77FF000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF79A5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7A66000 \SystemRoot\System32\Drivers\Null.SYS
0xF7737000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF774F000 \SystemRoot\System32\drivers\vga.sys
0xF79A9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79AD000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF775F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF777F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA0F6000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9E54000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA9DFB000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA9DD4000 \SystemRoot\System32\Drivers\Mpfp.sys
0xA9DAE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7428000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7418000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xF7408000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xA9D86000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA9D64000 \SystemRoot\System32\drivers\afd.sys
0xF7887000 \SystemRoot\system32\DRIVERS\netbios.sys
0xA9D39000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9CC9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA9C96000 \SystemRoot\system32\drivers\mfehidk.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF76A7000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA021000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA27E000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xBA011000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xBA25E000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xA9B53000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xBA005000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xA9EC7000 \SystemRoot\system32\DRIVERS\point32.sys
0xA9EB7000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xA9EFB000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xA9EA7000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xA9E97000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xBA24E000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xBA23E000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA9EF3000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xA9AEB000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF79B7000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA9EE7000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7757000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A9E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF061000 \SystemRoot\System32\ati2cqag.dll
0xBF0E9000 \SystemRoot\System32\atikvmag.dll
0xBF14F000 \SystemRoot\System32\atiok3x2.dll
0xBF18F000 \SystemRoot\System32\ati3duag.dll
0xBF4E6000 \SystemRoot\System32\ativvaxx.dll
0xA7A9F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xA7973000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA7662000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79F5000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA7777000 \SystemRoot\System32\Drivers\ElbyCDIO.sys
0xA75F9000 \SystemRoot\System32\Drivers\HTTP.sys
0xA73E0000 \SystemRoot\system32\DRIVERS\srv.sys
0xA9B23000 \??\C:\WINDOWS\system32\drivers\symlcbrd.sys
0xF79C9000 \SystemRoot\system32\DRIVERS\serscan.sys
0xF7787000 \SystemRoot\system32\drivers\mfebopk.sys
0xA6C9E000 \SystemRoot\system32\drivers\mfeavfk.sys
0xA6C0E000 \SystemRoot\system32\drivers\mfesmfk.sys
0xA6991000 \SystemRoot\system32\drivers\wdmaud.sys
0xA6DD8000 \SystemRoot\system32\drivers\sysaudio.sys
0xA6914000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 49):
0 System Idle Process
4 System
628 C:\WINDOWS\system32\smss.exe
696 csrss.exe
728 C:\WINDOWS\system32\winlogon.exe
776 C:\WINDOWS\system32\services.exe
796 C:\WINDOWS\system32\lsass.exe
952 C:\WINDOWS\system32\ati2evxx.exe
972 C:\WINDOWS\system32\svchost.exe
1108 svchost.exe
1204 C:\WINDOWS\system32\svchost.exe
1264 svchost.exe
1320 C:\WINDOWS\system32\ati2evxx.exe
1372 svchost.exe
1608 C:\WINDOWS\system32\spoolsv.exe
1712 svchost.exe
1744 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
1804 C:\WINDOWS\system32\svchost.exe
1820 C:\WINDOWS\system32\svchost.exe
1864 C:\WINDOWS\system32\svchost.exe
1884 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
1972 D:\Program Files\Java\jre6\bin\jqs.exe
136 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
168 C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
240 C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
688 C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
1000 C:\PROGRA~1\McAfee\VIRUSS~1\Mcshield.exe
1192 C:\Program Files\McAfee\MPF\MpfSrv.exe
1296 C:\WINDOWS\system32\svchost.exe
1316 C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
2020 C:\WINDOWS\system32\svchost.exe
2072 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
2100 C:\WINDOWS\system32\svchost.exe
2352 wmpnetwk.exe
3504 alg.exe
2240 C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
2492 C:\WINDOWS\explorer.exe
2768 C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
2652 C:\WINDOWS\system32\rundll32.exe
3292 C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
3336 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
3544 C:\WINDOWS\system32\ctfmon.exe
3636 C:\WINDOWS\system32\wuauclt.exe
3668 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
3152 D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
4092 C:\WINDOWS\system32\wuauclt.exe
2648 D:\Program Files\Mozilla Firefox\firefox.exe
624 D:\Program Files\Mozilla Firefox\plugin-container.exe
3940 C:\Documents and Settings\Admin\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive3 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive4 at offset 0x00000000`00007e00 (FAT32)
\\.\H: --> \\.\PhysicalDrive2 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive3 Model Number: WDCWD360GD-00FLA1, Rev: 27.08D27
PhysicalDrive0 Model Number: ST340016A, Rev: 3.19
PhysicalDrive1 Model Number: ST3160023A, Rev: 8.01
PhysicalDrive4 Model Number: WD4000AAK External, Rev: 1.06
PhysicalDrive2 Model Number: WDCWD6400AAKS-65A7B2, Rev: 01.03B01

Size Device Name MBR Status
--------------------------------------------
34 GB \\.\PhysicalDrive3 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
149 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
372 GB \\.\PhysicalDrive4 RE: Unknown MBR code
SHA1: 79D7AEC487DFDD445C6A0908CE4C984DA566FF03
596 GB \\.\PhysicalDrive2 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

broni · 2010/09/23

All looks good, so far...

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

[color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

[color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

llsshopping · 2010/09/23

Here is the log. And, I reluctantly upgraded to IE7.

Thank you.

ComboFix 10-09-23.01 - Admin 09/23/2010 20:25:18.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1297 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.

2010-09-23 01:56 . 2010-06-24 12:15 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-09-23 01:56 . 2010-06-24 12:15 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-09-23 01:56 . 2010-06-24 12:15 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-09-23 01:56 . 2010-06-24 12:15 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-09-23 01:56 . 2010-06-24 12:15 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-09-23 01:56 . 2010-06-23 12:06 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-09-23 01:56 . 2010-06-24 12:15 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-09-23 01:56 . 2010-02-22 22:04 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-09-06 03:28 . 2010-09-06 03:28 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Help
2010-09-05 16:30 . 2010-09-05 16:30 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 10:00 . 2008-10-28 02:12 72704 --sha-w- c:\documents and settings\All Users\Application Data\ExtendMedia\Media Agent\ac.dll
2010-09-06 04:08 . 2010-02-24 02:05 142008 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-05 14:17 . 2008-06-26 09:03 142008 ----a-w- c:\documents and settings\Lisa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-03 22:41 . 2010-08-19 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-09-03 10:41 . 2010-02-13 04:30 664 ----a-w- c:\documents and settings\Lance\Local Settings\Application Data\d3d9caps.dat
2010-09-03 09:39 . 2010-04-26 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-09-03 09:39 . 2008-06-25 22:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-23 12:28 . 2008-06-25 21:50 142008 ----a-w- c:\documents and settings\Lance\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-20 22:59 . 2010-08-20 22:59 -------- d-----w- c:\program files\MSECache
2010-08-12 00:13 . 2008-06-25 23:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-07 18:18 . 2009-11-08 21:01 -------- d-----w- c:\program files\McAfee
2010-08-02 16:02 . 2010-05-14 00:30 -------- d-----w- c:\program files\Panda Security
2010-08-02 13:42 . 2010-08-02 13:42 -------- d-----w- c:\program files\NAVIGON
2010-07-15 19:18 . 2009-11-08 21:10 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
.

------- Sigcheck -------

[7] 2008-04-13 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . c:\windows\system32\dllcache\beep.sys

c:\windows\System32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"QuickTime Task "= "d:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher "= "d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - d:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen "= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 01:17 49152 ----a-w- d:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- d:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 16:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2007-08-31 16:13 988584 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 20:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-09-28 18:30 936960 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"d:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe "=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58327:TCP "= 58327:TCPandoRest Listening Port

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/8/2009 5:54 PM 93320]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [8/29/2008 5:29 PM 835208]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [1/2/2009 11:57 PM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [1/2/2009 11:57 PM 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [1/2/2009 11:57 PM 60816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-08 17:22]

2010-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-08 17:22]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://69.3.198.64:100/RemoteWeb.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://69.3.198.64:100/VideoViewer.cab
DPF: {DB31DA00-4F6F-4CC7-8627-C5A142E1FC7C} - hxxp://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\6nmyrlwn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1628)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-23 20:34:35
ComboFix-quarantined-files.txt 2010-09-24 00:34
ComboFix2.txt 2010-05-07 23:21

Pre-Run: 14,665,912,320 bytes free
Post-Run: 15,207,333,888 bytes free

- - End Of File - - 50AFF4D8EE6DAA73A163BECCAB01D9C0

broni · 2010/09/23

I reluctantly upgraded to IE7
Click to expand...

You're silly, like I asked you to take a poison

Combofix log looks pretty good
How is computer doing?

1. Please open Notepad

Click Start , then Run

Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code:
FCopy::
c:\windows\system32\dllcache\beep.sys | c:\windows\System32\drivers\beep.sys
3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

llsshopping · 2010/09/23

It doesn't mean I have to like it, I know quite a few that didn't/don't like Vista. Besides, my 60k employee, multi-national firm still uses IE6. Anyway, no hard feelings.

Here is the next log:

ComboFix 10-09-23.01 - Admin 09/23/2010 22:52:05.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1522 [GMT -4:00]
Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\beep.sys --> c:\windows\System32\drivers\beep.sys
.
((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.

2010-09-24 02:52 . 2008-04-13 23:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys
2010-09-23 01:56 . 2010-06-24 12:15 52224 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-09-23 01:56 . 2010-06-24 12:15 459264 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-09-23 01:56 . 2010-06-24 12:15 6067200 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-09-23 01:56 . 2010-06-24 12:15 268288 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-09-23 01:56 . 2010-06-24 12:15 380928 -c----w- c:\windows\system32\dllcache\ieapfltr.dll
2010-09-23 01:56 . 2010-06-23 12:06 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2010-09-23 01:56 . 2010-06-24 12:15 63488 -c----w- c:\windows\system32\dllcache\icardie.dll
2010-09-23 01:56 . 2010-02-22 22:04 2452872 -c----w- c:\windows\system32\dllcache\ieapfltr.dat
2010-09-06 03:28 . 2010-09-06 03:28 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Help
2010-09-05 16:30 . 2010-09-05 16:30 -------- d-----w- c:\documents and settings\Admin\Local Settings\Application Data\Ahead

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 10:00 . 2008-10-28 02:12 72704 --sha-w- c:\documents and settings\All Users\Application Data\ExtendMedia\Media Agent\ac.dll
2010-09-06 04:08 . 2010-02-24 02:05 142008 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-05 14:17 . 2008-06-26 09:03 142008 ----a-w- c:\documents and settings\Lisa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-03 22:41 . 2010-08-19 12:00 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-09-03 10:41 . 2010-02-13 04:30 664 ----a-w- c:\documents and settings\Lance\Local Settings\Application Data\d3d9caps.dat
2010-09-03 09:39 . 2010-04-26 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\ArcSoft
2010-09-03 09:39 . 2008-06-25 22:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-23 12:28 . 2008-06-25 21:50 142008 ----a-w- c:\documents and settings\Lance\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-20 22:59 . 2010-08-20 22:59 -------- d-----w- c:\program files\MSECache
2010-08-12 00:13 . 2008-06-25 23:28 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-07 18:18 . 2009-11-08 21:01 -------- d-----w- c:\program files\McAfee
2010-08-02 16:02 . 2010-05-14 00:30 -------- d-----w- c:\program files\Panda Security
2010-08-02 13:42 . 2010-08-02 13:42 -------- d-----w- c:\program files\NAVIGON
2010-07-15 19:18 . 2009-11-08 21:10 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-30 12:31 . 2004-08-04 12:00 149504 ----a-w- c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-09-24_00.32.32 )))))))))))))))))))))))))))))))))))))))))
.
- 2010-05-30 13:45 . 2010-09-23 21:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-05-30 13:45 . 2010-09-24 02:22 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-25 21:48 . 2010-09-24 02:22 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-06-25 21:48 . 2010-09-23 21:27 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-09-24 02:19 . 2010-09-24 02:22 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"QuickTime Task "= "d:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"mcagent_exe "= "c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"ArcSoft Connection Service "= "c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-03-18 207360]
"Adobe Reader Speed Launcher "= "d:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - d:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 217194]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen "= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=" "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-10-15 01:17 49152 ----a-w- d:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpqSRMon]
2007-08-22 20:31 80896 ----a-w- d:\program files\HP\Digital Imaging\bin\HpqSRmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 16:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2007-08-31 16:13 988584 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-01-05 21:18 413696 ----a-w- d:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2007-05-11 20:20 2061816 ----a-w- c:\program files\Verizon\VSP\VerizonServicepoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Verizon_McciTrayApp]
2007-09-28 18:30 936960 ----a-w- c:\program files\Verizon\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"d:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe "=
"c:\\Program Files\\OpenCase\\OpenCASE Media Agent\\PandoBinaries\\NBCPandoREST.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe "=
"d:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe "=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58327:TCP "= 58327:TCPandoRest Listening Port

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [11/8/2009 5:54 PM 93320]
R2 OpenCASE Media Agent;OpenCASE Media Agent;c:\program files\OpenCase\OpenCASE Media Agent\MediaAgent.exe [8/29/2008 5:29 PM 835208]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [1/2/2009 11:57 PM 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [1/2/2009 11:57 PM 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [1/2/2009 11:57 PM 60816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-08 17:22]

2010-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-11-08 17:22]
.
.
------- Supplementary Scan -------
.
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: intuit.com\ttlc
DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} - hxxp://69.3.198.64:100/RemoteWeb.cab
DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} - hxxp://69.3.198.64:100/VideoViewer.cab
DPF: {DB31DA00-4F6F-4CC7-8627-C5A142E1FC7C} - hxxp://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab
FF - ProfilePath - c:\documents and settings\Admin\Application Data\Mozilla\Firefox\Profiles\6nmyrlwn.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: d:\program files\Adobe\Reader 9.0\Reader\browser\nppdf32.dll
FF - plugin: d:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF - plugin: d:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: d:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin2.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin3.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin4.dll
FF - plugin: d:\program files\QuickTime\Plugins\npqtplugin5.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
d:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
d:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 23:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@= "FlashBroker "
"LocalizedString "= "@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101 "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled "=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@= "c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe "

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@= "IFlashBroker4 "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@= "{00020424-0000-0000-C000-000000000046} "

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@= "{FAB3E735-69C7-453B-A446-B6823C6DF1C9} "
"Version "= "1.0 "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'winlogon.exe'(2460)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4460)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'explorer.exe'(3396)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-09-23 23:03:03
ComboFix-quarantined-files.txt 2010-09-24 03:02
ComboFix2.txt 2010-09-24 00:34
ComboFix3.txt 2010-05-07 23:21

Pre-Run: 15,411,388,416 bytes free
Post-Run: 15,396,249,600 bytes free

- - End Of File - - 69EC2544F16B7C2440354D26433236FA

broni · 2010/09/23

my 60k employee, multi-national firm still uses IE6
Click to expand...

Unfortunately, it's nothing to be proud of, but rather to be ashamed of.
Do they still use abacus too?

Combofix log looks good

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

llsshopping · 2010/09/23

Again, no hard feelings.

OTL logfile created on: 9/23/2010 11:28:21 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.46 Gb Total Space | 14.35 Gb Free Space | 41.65% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 2.68 Gb Free Space | 7.19% Space Free | Partition Type: NTFS
Drive E: | 149.04 Gb Total Space | 3.87 Gb Free Space | 2.59% Space Free | Partition Type: NTFS
Drive F: | 372.51 Gb Total Space | 223.17 Gb Free Space | 59.91% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
Drive H: | 596.17 Gb Total Space | 549.08 Gb Free Space | 92.10% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: landlhome
Current User Name: Admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/23 23:26:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/03/24 13:58:22 | 000,309,760 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 11:19:26 | 000,207,360 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/09/16 11:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 10:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/08/29 17:29:14 | 000,835,208 | ---- | M] (ExtendMedia Inc.) -- C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
PRC - [2008/04/13 20:12:43 | 000,009,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scrnsave.scr
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/10/24 00:37:56 | 000,217,194 | ---- | M] (Adobe Systems Inc.) -- D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [2003/05/29 16:28:32 | 000,790,528 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (SafeList) ==========

MOD - [2010/09/23 23:26:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
MOD - [2010/04/01 09:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/09/16 12:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 11:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 10:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/08/29 17:29:14 | 000,835,208 | ---- | M] (ExtendMedia Inc.) [Auto | Running] -- C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe -- (OpenCASE Media Agent)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/09/16 11:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 11:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 11:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 11:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 11:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/06/27 00:31:06 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2008/06/25 23:16:04 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)
DRV - [2008/06/03 02:20:54 | 003,100,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/05/20 10:01:00 | 000,288,896 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/04/13 14:46:20 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/13 14:46:20 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/13 14:46:10 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2007/09/28 14:30:57 | 000,019,345 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5)
DRV - [2007/09/28 14:30:49 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005/01/01 21:11:43 | 000,003,968 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2005/01/01 21:07:05 | 000,009,728 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2002/10/15 16:07:30 | 000,060,816 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgatserd.sys -- (lgatserd) LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM)
DRV - [2002/10/15 16:05:38 | 000,077,104 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgatmdm.sys -- (lgatmdm)
DRV - [2002/10/15 16:03:34 | 000,043,024 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgatbus.sys -- (lgatbus) LG USB Composite Device driver (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome "
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/07/02 17:45:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2010/09/23 18:44:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2010/09/23 18:44:18 | 000,000,000 | ---D | M]

[2010/03/12 21:09:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Extensions
[2010/09/23 21:20:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\6nmyrlwn.default\extensions
[2010/03/13 00:10:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\6nmyrlwn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

O1 HOSTS File: ([2010/03/14 15:24:20 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\npjpi160_18.dll (Sun Microsystems, Inc.)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - D:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab (Support.com Configuration Class)
O16 - DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} http://69.3.198.64:100/RemoteWeb.cab (Remote200 Control)
O16 - DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} http://69.3.198.64:100/VideoViewer.cab (CViewerControl Object)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {DB31DA00-4F6F-4CC7-8627-C5A142E1FC7C} http://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab (SyncXfer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} http://trueswitch.com/TrueInstall.exe (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.250.0.12
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/25 17:34:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/03/05 09:43:24 | 000,000,000 | ---D | M] - F:\autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DVSD - pdvcodec.dll File not found
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/09/23 23:26:02 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/09/23 22:50:46 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/09/23 20:23:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/23 20:23:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/23 20:23:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/23 20:23:08 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/23 20:22:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/22 21:57:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2010/09/22 21:56:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2010/09/22 21:55:03 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie7
[2010/09/22 21:54:32 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2010/09/22 21:53:18 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2010/09/05 23:28:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Local Settings\Application Data\Help
[2010/09/05 23:28:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application Data\Help
[2010/09/05 12:30:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Local Settings\Application Data\Ahead
[2010/08/20 18:59:59 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2010/08/19 08:00:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2010/08/02 09:42:02 | 000,000,000 | ---D | C] -- C:\Program Files\NAVIGON

========== Files - Modified Within 90 Days ==========

[2010/09/23 23:26:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/09/23 23:11:50 | 000,017,853 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/09/23 23:03:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/23 23:01:03 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/23 20:21:29 | 003,851,266 | R--- | M] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/09/23 05:58:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/23 05:57:39 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\MBRCheck.exe
[2010/09/22 22:16:08 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\v1fr64un.exe
[2010/09/22 22:14:11 | 002,621,440 | -H-- | M] () -- C:\Documents and Settings\Admin\NTUSER.DAT
[2010/09/22 22:11:43 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/22 22:10:42 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/22 22:08:18 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Admin\ntuser.ini
[2010/09/22 21:57:35 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/19 00:03:26 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/09/15 01:00:00 | 000,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/09/06 00:18:53 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/06 00:08:09 | 000,142,008 | ---- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/09/01 01:00:11 | 000,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/08/23 08:04:27 | 000,454,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/20 12:05:26 | 000,504,736 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/20 12:05:26 | 000,443,588 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/20 12:05:26 | 000,071,846 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/20 11:50:34 | 000,001,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/19 07:57:32 | 000,000,190 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2010/08/02 09:42:10 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\NAVIGON Fresh.lnk
[2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010/07/02 17:44:25 | 006,428,170 | -H-- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\IconCache.db

========== Files Created - No Company Name ==========

[2010/09/23 20:23:08 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/23 20:23:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/23 20:23:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/23 20:23:08 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/23 20:23:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/23 20:21:23 | 003,851,266 | R--- | C] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/09/23 05:57:38 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\MBRCheck.exe
[2010/09/22 22:16:07 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\v1fr64un.exe
[2010/08/11 20:13:27 | 000,001,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/15 20:24:20 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\housecall.guid.cache
[2010/02/14 15:07:04 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\Admin\Application Data\dumpexif.ini
[2010/01/27 21:12:45 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/01/27 21:12:45 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/01/27 21:12:35 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/27 18:53:55 | 000,000,028 | ---- | C] () -- C:\WINDOWS\MotionDVSTUDIO.INI
[2009/07/20 21:05:10 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/12/22 16:43:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/09/02 23:17:48 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/05 23:22:32 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/06/27 21:43:49 | 000,000,122 | ---- | C] () -- C:\WINDOWS\_vmtxp.INI
[2008/06/27 16:54:44 | 000,001,656 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/06/27 01:34:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/06/27 01:04:12 | 000,000,190 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/02/14 15:07:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\SquirrelWare
[2008/10/27 22:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ExtendMedia
[2010/05/16 13:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2008/12/11 23:54:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
[2009/10/26 21:56:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panasonic
[2008/08/30 21:15:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/04/21 22:46:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{964C8871-6315-4FC5-8A47-F4C420428929}
[2010/09/15 01:00:00 | 000,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2010/09/01 01:00:11 | 000,000,332 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2008/06/25 17:34:10 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/11/09 19:27:06 | 000,000,211 | -HS- | M] () -- C:\Boot.bak
[2010/05/30 08:16:18 | 000,000,281 | -HS- | M] () -- C:\boot.ini
[2004/08/04 00:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/09/23 23:03:04 | 000,014,915 | ---- | M] () -- C:\ComboFix.txt
[2008/06/25 17:34:10 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/09/03 05:39:32 | 000,000,045 | ---- | M] () -- C:\error.log
[2008/06/27 00:41:46 | 209,715,200 | -HS- | M] () -- C:\gobackio.bin
[2008/06/25 17:34:10 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/01/02 15:11:48 | 000,000,623 | ---- | M] () -- C:\JavaRa.log
[2008/06/25 17:34:10 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/11/08 01:18:01 | 000,001,142 | ---- | M] () -- C:\NTDClient.log
[2004/08/04 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/06/25 18:19:58 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/23 05:58:17 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2008/06/25 17:33:45 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/03/15 15:32:10 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5ha.dll
[2004/03/22 15:17:08 | 000,025,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 06:50:04 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2008/06/25 13:21:06 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/06/25 13:21:06 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/06/25 13:21:06 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2008/06/25 18:22:59 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/05/08 23:18:32 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2010/01/05 00:25:06 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/09/23 20:21:29 | 003,851,266 | R--- | M] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/09/23 05:57:39 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\MBRCheck.exe
[2010/09/23 23:26:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/05/07 19:29:21 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\TFC.exe
[2010/09/22 22:16:08 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\v1fr64un.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/05/08 23:18:25 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Admin\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2008/06/26 01:07:44 | 000,002,518 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/09/23 23:11:59 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\Admin\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2004/08/04 01:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoUpdate" = 0
"AUOptions" = 2
"ScheduledInstallDay" = 0
"ScheduledInstallTime" = 3
"UseWUServer" = 0
"NoAutoRebootWithLoggedOnUsers" = 1
"AutoInstallMinorUpdates" = 0

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< End of report >

llsshopping · 2010/09/23

OTL Extras logfile created on: 9/23/2010 11:28:21 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.46 Gb Total Space | 14.35 Gb Free Space | 41.65% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 2.68 Gb Free Space | 7.19% Space Free | Partition Type: NTFS
Drive E: | 149.04 Gb Total Space | 3.87 Gb Free Space | 2.59% Space Free | Partition Type: NTFS
Drive F: | 372.51 Gb Total Space | 223.17 Gb Free Space | 59.91% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
Drive H: | 596.17 Gb Total Space | 549.08 Gb Free Space | 92.10% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: landlhome
Current User Name: Admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1 "
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:*:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabledxpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabledxpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabledxpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"139:TCP" = 139:TCP:LocalSubNet:Enabledxpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabledxpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabledxpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabledxpsp2res.dll,-22002
"58327:TCP" = 58327:TCP:*:EnabledandoRest Listening Port
"9051:UDP" = 9051:UDP:LocalSubNet:Enabled:Verizon Tech Wizard

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"D:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = D:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe" = D:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7 -- ()
"C:\Program Files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe" = C:\Program Files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe:*:EnabledandoRest Application Name -- ()
"D:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe" = D:\Program Files\TurboTax\Deluxe 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"D:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe" = D:\Program Files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"D:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = D:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"D:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = D:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"D:\Program Files\HP\Digital Imaging\bin\hposid01.exe" = D:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe -- (Hewlett-Packard Co.)
"D:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = D:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"D:\Program Files\HP\Digital Imaging\bin\hpoews01.exe" = D:\Program Files\HP\Digital Imaging\bin\hpoews01.exe:*:Enabled:hpoews01.exe -- (Hewlett-Packard Co.)
"D:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe" = D:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe -- (Hewlett-Packard)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNetisabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{09BDEEF0-5590-457D-89A9-5DB2742F9BBF}" = 32 Bit HP CIO Components Installer
"{0E70CFA6-93E3-453F-B47C-855196C2589E}" = Logitech Harmony Remote Software 7
"{0F7C2E47-089E-4d23-B9F7-39BE00100776}" = Toolbox
"{1116FD69-3C49-BE9A-C206-E8BA26CCA10F}" = CCC Help English
"{11B83AD3-7A46-4C2E-A568-9505981D4C6F}" = HP Update
"{16FE2579-06B2-3E32-58F2-4B70B69A3070}" = ccc-core-preinstall
"{1771FDC8-D846-4B77-996A-C80DAD42C03F}" = OpenCASE Media Agent
"{18472E28-FCA0-421F-BDAC-AC65012E29F2}" = ArcSoft MediaImpression
"{195F2C6C-A343-4b10-B1A4-3F00AB9E9DD9}" = Fax
"{1EB21F28-E3AF-A317-4658-6C0C455C2F61}" = Catalyst Control Center Core Implementation
"{20B30DC1-E423-4939-B51D-05C58B0F9BBB}" = HP Photosmart All-In-One Driver Software 10.0 Rel .2
"{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}" = QuickTime
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216017FF}" = Java(TM) 6 Update 18
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{345112D9-0930-4A68-AB71-A831BA5DE7AA}" = Microsoft IntelliType Pro 6.2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3881DB80-EAA2-012B-ADAE-000000000000}" = TurboTax 2009 WinPerFedFormset
"{38975F50-EAA2-012B-ADB4-000000000000}" = TurboTax 2009 WinPerReleaseEngine
"{38A34630-EAA2-012B-ADB6-000000000000}" = TurboTax 2009 WinPerTaxSupport
"{3B1D6DF0-EAA2-012B-AE51-000000000000}" = TurboTax 2009 wnjiper
"{3C5A81D0-EAA2-012B-AE9F-000000000000}" = TurboTax 2009 wrapper
"{46D9C523-FABB-FFF1-321D-F493A68E2C3E}" = Catalyst Control Center Graphics Previews Common
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5109C064-813E-4e87-B0DE-C8AF7B5BC02B}" = SmartWebPrintingOC
"{57BBB1AD-A239-4B05-86F5-3D138A0CFEE8}" = PureVoice
"{57D32909-FCA8-A78B-2AD2-2A50F5E11858}" = ccc-core-static
"{57EA735B-4F1D-9FC5-6A36-B0C0F1D704FE}" = Catalyst Control Center Graphics Light
"{5C6F884D-680C-448B-B4C9-22296EE1B206}" = Logitech Harmony Remote Software 7
"{5EA05D7F-5645-4068-A60F-0DCF8FBFD267}" = OLYMPUS Raw Codec
"{66E6CE0C-5A1E-430C-B40A-0C90FF1804A8}" = eSupportQFolder
"{679EC478-3FF9-4987-B2FF-C2C2B27532A2}" = DocProc
"{687FEF8A-8597-40b4-832C-297EA3F35817}" = BufferChm
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6B629F70-BE1D-456E-AA97-73619020E7A1}" = Sony Sound Forge 7.0
"{6F5E2F4A-377D-4700-B0E3-8F7F7507EA15}" = CustomerResearchQFolder
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{786C5747-1033-0000-B58E-000000000001}" = Adobe Stock Photos 1.0
"{80533B67-C407-485D-8B5D-63BB8ED9D878}" = Scan
"{87E2B986-07E8-477a-93DC-AF0B6758B192}" = DocProcQFolder
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A85DEAD-7C1F-4368-881C-72AC74CB2E91}" = UnloadSupport
"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{91E30409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{923CAE62-30C9-425E-B4ED-F5E9C09C5C4A}" = TurboTax 2008 wnjiper
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AB5D51AE-EBC3-438D-872C-705C7C2084B0}" = DeviceManagementQFolder
"{AC76BA86-0000-0000-0000-6028747ADE01}" = Adobe Acrobat - Reader 6.0.2 Update
"{AC76BA86-0000-7EC8-7489-000000000603}" = Adobe Acrobat and Reader 6.0.3 Update
"{AC76BA86-0000-7EC8-7489-000000000604}" = Adobe Acrobat and Reader 6.0.4 Update
"{AC76BA86-0000-7EC8-7489-000000000605}" = Adobe Acrobat and Reader 6.0.5 Update
"{AC76BA86-0000-7EC8-7489-000000000606}" = Adobe Acrobat and Reader 6.0.6 Update
"{AC76BA86-1033-0000-BA7E-000000000001}" = Adobe Acrobat 6.0.1 Standard
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.4
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{ACDE260A-602B-4cfb-A650-D0DBA6FFAD85}" = NetDeviceManager
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B6685367-A8AD-4414-A2A3-10B40EC5CF30}" = SharpKeys
"{B74D4E10-1033-0000-0000-000000000001}" = Adobe Bridge 1.0
"{b9be267c-e096-4cce-a4fd-f24eec004938}" = PS_AIO_02_ProductContext
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{c4549405-195f-4450-8865-6be9dc5ad136}" = PS_AIO_02_Software_Min
"{c600ab3d-8b64-41df-bf36-b3d87ce0706b}" = C7200_Help
"{CAEF3BE9-F5CF-4355-BBC3-90134AD070F8}" = RAW Thumbnail Viewer
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCB9B81A-167F-4832-B305-D2A0430840B3}" = WebReg
"{cd0b9359-b716-4fd0-8e0a-09b3e312e8a4}" = PS_AIO_02_Software
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CECEB0FF-5C45-4b50-9A00-C596E36D88F4}" = C7200
"{DE31F8AA-B12D-3A38-E561-C657EED45465}" = Catalyst Control Center Graphics Full Existing
"{E07C71A6-1576-4F7F-8856-B1C439E669AC}" = MotionDV STUDIO 5.6E LE for DV
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E6EB53D4-5AD0-07F0-2DAC-0A2D624DF39D}" = ccc-utility
"{E74CC47C-28D3-25E1-14D2-68EBC87C31BA}" = Skins
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{EB866374-B705-4749-83D9-997AC77146B3}" = LGUsbDriver
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F251B61F-9D18-13C4-02EE-71A36343D442}" = Catalyst Control Center Graphics Full New
"{FA61D601-A0FC-48BD-AE7A-54946BCD7FB6}_is1" = BitPim 1.0.6
"1A6754C019F3AE544C346226BB63AC9BC7DACCDE" = Windows Driver Package - OLYMPUS IMAGING CORP. (OlyUsbCam) OlyUsbCam (12/28/2006 1.0.0.0)
"Adobe Atmosphere Player" = Adobe Atmosphere Player for Acrobat and Adobe Reader
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop CS2 - {236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"CCleaner" = CCleaner
"CloneDVD2" = CloneDVD2
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"ffdshow_is1" = ffdshow [rev 2693] [2009-02-16]
"HijackThis" = HijackThis 2.0.2
"HP Smart Web Printing" = HP Smart Web Printing
"HPOCR" = OCR Software by I.R.I.S. 10.0
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MetaFrame Presentation Server Web Client for Win32" = MetaFrame Presentation Server Web Client for Win32
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.10)" = Mozilla Firefox (3.6.10)
"MSC" = McAfee SecurityCenter
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NAVIGON Fresh" = NAVIGON Fresh 1.4.9
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"ORFshell_is1" = ORFshell v0.99 beta 8
"Picasa 3" = Picasa 3
"RadialpointClientGateway_is1" = Verizon Servicepoint 1.5.12
"TrueSwitch Wizard" = TrueSwitch Wizard
"TurboTax 2008" = TurboTax 2008
"TurboTax 2009" = TurboTax 2009
"Tweak UI 2.10" = Tweak UI
"Verizon Online Help and Support" = Verizon Online Help and Support
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 9/19/2010 3:26:59 AM | Computer Name = landlhome | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 9/19/2010 3:26:59 AM | Computer Name = landlhome | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/19/2010 11:34:04 PM | Computer Name = landlhome | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 9/19/2010 11:34:04 PM | Computer Name = landlhome | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/19/2010 11:34:05 PM | Computer Name = landlhome | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/19/2010 11:34:05 PM | Computer Name = landlhome | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 9/22/2010 9:33:20 PM | Computer Name = landlhome | Source = Application Hang | ID = 1002
Description = Hanging application IEXPLORE.EXE, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 9/22/2010 9:33:24 PM | Computer Name = landlhome | Source = Application Hang | ID = 1001
Description = Fault bucket 724398357.

Error - 9/22/2010 9:33:31 PM | Computer Name = landlhome | Source = Application Hang | ID = 1002
Description = Hanging application CDLS.exe, version 4.8.0.26, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 9/22/2010 9:33:40 PM | Computer Name = landlhome | Source = Application Hang | ID = 1001
Description = Fault bucket 39046302.

[ System Events ]
Error - 9/23/2010 6:04:43 AM | Computer Name = landlhome | Source = System Error | ID = 1003
Description = Error code d0000144, parameter1 c0000005, parameter2 001a00e4, parameter3
00000001, parameter4 7c800000.

Error - 9/23/2010 8:22:42 PM | Computer Name = landlhome | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 9/23/2010 8:24:54 PM | Computer Name = landlhome | Source = Service Control Manager | ID = 7031
Description = The Windows Media Player Network Sharing Service service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will
be taken in 30000 milliseconds: Restart the service.

Error - 9/23/2010 8:27:38 PM | Computer Name = landlhome | Source = Service Control Manager | ID = 7031
Description = The Windows Media Player Network Sharing Service service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will
be taken in 30000 milliseconds: Restart the service.

Error - 9/23/2010 9:15:50 PM | Computer Name = landlhome | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 9/23/2010 10:14:43 PM | Computer Name = landlhome | Source = ati2mtag | ID = 45062
Description = CRT invalid display type

Error - 9/23/2010 10:50:31 PM | Computer Name = landlhome | Source = Service Control Manager | ID = 7031
Description = The McAfee Real-time Scanner service terminated unexpectedly. It
has done this 2 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 9/23/2010 10:51:20 PM | Computer Name = landlhome | Source = Service Control Manager | ID = 7031
Description = The Windows Media Player Network Sharing Service service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will
be taken in 30000 milliseconds: Restart the service.

Error - 9/23/2010 10:51:54 PM | Computer Name = landlhome | Source = Service Control Manager | ID = 7031
Description = The Windows Media Player Network Sharing Service service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will
be taken in 30000 milliseconds: Restart the service.

Error - 9/23/2010 10:58:53 PM | Computer Name = landlhome | Source = Service Control Manager | ID = 7031
Description = The Windows Media Player Network Sharing Service service terminated
unexpectedly. It has done this 1 time(s). The following corrective action will
be taken in 30000 milliseconds: Restart the service.

< End of report >

broni · 2010/09/23

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

================================================================

Run OTL
Under the [color= "#0000FF"]Custom Scans/Fixes[/color] box at the bottom, paste in the following
Code:
:OTL
DRV - [2008/06/27 00:31:06 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} http://trueswitch.com/TrueInstall.exe (Reg Error: Key error.)
[2008/08/30 21:15:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint


:Services

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
 "DisableMonitoring" =-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
 "DisableMonitoring" =-

:Files

:Commands
[purity]
[emptytemp]
[emptyflash]
[Reboot]
Then click the [color= "#FF0000"]Run Fix[/color] button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.
=================================================================

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

IMOPRTANT! UN-check Remove found threats

Click Start

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

llsshopping · 2010/09/25

OTL logfile created on: 9/23/2010 11:28:21 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Admin\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 82.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.46 Gb Total Space | 14.35 Gb Free Space | 41.65% Space Free | Partition Type: NTFS
Drive D: | 37.26 Gb Total Space | 2.68 Gb Free Space | 7.19% Space Free | Partition Type: NTFS
Drive E: | 149.04 Gb Total Space | 3.87 Gb Free Space | 2.59% Space Free | Partition Type: NTFS
Drive F: | 372.51 Gb Total Space | 223.17 Gb Free Space | 59.91% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
Drive H: | 596.17 Gb Total Space | 549.08 Gb Free Space | 92.10% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded

Computer Name: landlhome
Current User Name: Admin
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/09/23 23:26:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
PRC - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2010/03/24 13:58:22 | 000,309,760 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/03/18 11:19:26 | 000,207,360 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2009/10/29 07:54:44 | 001,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/09/16 11:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 10:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2008/08/29 17:29:14 | 000,835,208 | ---- | M] (ExtendMedia Inc.) -- C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe
PRC - [2008/04/13 20:12:43 | 000,009,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\scrnsave.scr
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2003/10/24 00:37:56 | 000,217,194 | ---- | M] (Adobe Systems Inc.) -- D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
PRC - [2003/05/29 16:28:32 | 000,790,528 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

========== Modules (SafeList) ==========

MOD - [2010/09/23 23:26:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
MOD - [2010/04/01 09:57:36 | 000,015,056 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx

========== Win32 Services (SafeList) ==========

SRV - [2010/06/10 06:58:32 | 000,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2010/03/26 11:16:04 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2009/10/27 12:19:46 | 000,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/09/29 10:17:50 | 000,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/09/16 12:23:32 | 000,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 11:22:08 | 000,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 10:28:38 | 000,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 12:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 20:10:02 | 002,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2008/08/29 17:29:14 | 000,835,208 | ---- | M] (ExtendMedia Inc.) [Auto | Running] -- C:\Program Files\OpenCase\OpenCASE Media Agent\MediaAgent.exe -- (OpenCASE Media Agent)
SRV - [2002/09/20 15:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | On_Demand | Running] -- C:\DOCUME~1\Admin\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/09/16 11:22:48 | 000,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 11:22:48 | 000,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 11:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 11:22:48 | 000,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 11:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/06/27 00:31:06 | 000,010,344 | ---- | M] (Symantec Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\symlcbrd.sys -- (symlcbrd)
DRV - [2008/06/25 23:16:04 | 000,235,100 | ---- | M] (Analog Devices Inc) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\MidiSyn.sys -- (MidiSyn)
DRV - [2008/06/03 02:20:54 | 003,100,160 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/05/20 10:01:00 | 000,288,896 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2008/04/13 14:46:20 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\61883.sys -- (61883)
DRV - [2008/04/13 14:46:20 | 000,038,912 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\avc.sys -- (Avc)
DRV - [2008/04/13 14:46:10 | 000,051,200 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\msdv.sys -- (MSDV)
DRV - [2007/09/28 14:30:57 | 000,019,345 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMPR5.sys -- (MREMPR5)
DRV - [2007/09/28 14:30:49 | 000,018,003 | ---- | M] (Motive, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRENDIS5.sys -- (MRENDIS5)
DRV - [2006/11/10 15:05:00 | 000,018,688 | ---- | M] (Arcsoft, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\afc.sys -- (Afc)
DRV - [2005/01/01 21:11:43 | 000,003,968 | ---- | M] (Elaborate Bytes AG) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ElbyDelay.sys -- (ElbyDelay)
DRV - [2005/01/01 21:07:05 | 000,009,728 | ---- | M] (Elaborate Bytes AG) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO)
DRV - [2002/10/15 16:07:30 | 000,060,816 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgatserd.sys -- (lgatserd) LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM)
DRV - [2002/10/15 16:05:38 | 000,077,104 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgatmdm.sys -- (lgatmdm)
DRV - [2002/10/15 16:03:34 | 000,043,024 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lgatbus.sys -- (lgatbus) LG USB Composite Device driver (WDM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome "
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/07/02 17:45:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Components: D:\Program Files\Mozilla Firefox\components [2010/09/23 18:44:18 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.10\extensions\\Plugins: D:\Program Files\Mozilla Firefox\plugins [2010/09/23 18:44:18 | 000,000,000 | ---D | M]

[2010/03/12 21:09:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Extensions
[2010/09/23 21:20:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\6nmyrlwn.default\extensions
[2010/03/13 00:10:23 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\6nmyrlwn.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}

O1 HOSTS File: ([2010/03/14 15:24:20 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll ()
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe (Adobe Systems Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoWelcomeScreen = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre6\bin\npjpi160_18.dll (Sun Microsystems, Inc.)
O9 - Extra Button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - D:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
O15 - HKCU\..Trusted Domains: intuit.com ([ttlc] https in Trusted sites)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon FiOS Installer.cab (Support.com Configuration Class)
O16 - DPF: {46D8BEE7-0B27-4466-ABA2-A5F1E157971C} http://69.3.198.64:100/RemoteWeb.cab (Remote200 Control)
O16 - DPF: {5FFDFC21-AE40-4C7C-955C-415A1ACE01C8} http://69.3.198.64:100/VideoViewer.cab (CViewerControl Object)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab (Java Plug-in 1.6.0_18)
O16 - DPF: {DB31DA00-4F6F-4CC7-8627-C5A142E1FC7C} http://www.syncmyride.com/Own/Modules/UploadDownload/applets/sync.cab (SyncXfer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} http://trueswitch.com/TrueInstall.exe (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 71.250.0.12
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/25 17:34:10 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2007/03/05 09:43:24 | 000,000,000 | ---D | M] - F:\autorun -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.DVSD - pdvcodec.dll File not found
Drivers32: VIDC.FFDS - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: VIDC.MP42 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)
Drivers32: VIDC.MPG4 - C:\WINDOWS\System32\mpg4c32.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/09/23 23:26:02 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/09/23 22:50:46 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/09/23 20:23:08 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/23 20:23:08 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/23 20:23:08 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/23 20:23:08 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/23 20:22:54 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/22 21:57:06 | 000,000,000 | ---D | C] -- C:\WINDOWS\ie7updates
[2010/09/22 21:56:02 | 000,000,000 | ---D | C] -- C:\WINDOWS\WBEM
[2010/09/22 21:55:03 | 000,000,000 | -H-D | C] -- C:\WINDOWS\ie7
[2010/09/22 21:54:32 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$
[2010/09/22 21:53:18 | 000,000,000 | -H-D | C] -- C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$
[2010/09/05 23:28:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Local Settings\Application Data\Help
[2010/09/05 23:28:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Application Data\Help
[2010/09/05 12:30:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Admin\Local Settings\Application Data\Ahead
[2010/08/20 18:59:59 | 000,000,000 | ---D | C] -- C:\Program Files\MSECache
[2010/08/19 08:00:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\DVD Shrink
[2010/08/02 09:42:02 | 000,000,000 | ---D | C] -- C:\Program Files\NAVIGON

========== Files - Modified Within 90 Days ==========

[2010/09/23 23:26:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/09/23 23:11:50 | 000,017,853 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2010/09/23 23:03:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/23 23:01:03 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/23 20:21:29 | 003,851,266 | R--- | M] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/09/23 05:58:30 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/23 05:57:39 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\MBRCheck.exe
[2010/09/22 22:16:08 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\v1fr64un.exe
[2010/09/22 22:14:11 | 002,621,440 | -H-- | M] () -- C:\Documents and Settings\Admin\NTUSER.DAT
[2010/09/22 22:11:43 | 000,000,815 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
[2010/09/22 22:10:42 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/22 22:08:18 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Admin\ntuser.ini
[2010/09/22 21:57:35 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/19 00:03:26 | 000,000,049 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/09/15 01:00:00 | 000,000,340 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2010/09/06 00:18:53 | 000,013,824 | ---- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/06 00:08:09 | 000,142,008 | ---- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/09/01 01:00:11 | 000,000,332 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2010/08/23 08:04:27 | 000,454,864 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/20 12:05:26 | 000,504,736 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/08/20 12:05:26 | 000,443,588 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/08/20 12:05:26 | 000,071,846 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/08/20 11:50:34 | 000,001,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/08/19 07:57:32 | 000,000,190 | ---- | M] () -- C:\WINDOWS\WININIT.INI
[2010/08/02 09:42:10 | 000,000,798 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\NAVIGON Fresh.lnk
[2010/07/15 15:18:22 | 000,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2010/07/02 17:44:25 | 006,428,170 | -H-- | M] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\IconCache.db

========== Files Created - No Company Name ==========

[2010/09/23 20:23:08 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/23 20:23:08 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/23 20:23:08 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/23 20:23:08 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/23 20:23:08 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/23 20:21:23 | 003,851,266 | R--- | C] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/09/23 05:57:38 | 000,080,384 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\MBRCheck.exe
[2010/09/22 22:16:07 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Admin\Desktop\v1fr64un.exe
[2010/08/11 20:13:27 | 000,001,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2010/05/15 20:24:20 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\housecall.guid.cache
[2010/02/14 15:07:04 | 000,000,448 | ---- | C] () -- C:\Documents and Settings\Admin\Application Data\dumpexif.ini
[2010/01/27 21:12:45 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2010/01/27 21:12:45 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010/01/27 21:12:35 | 000,013,824 | ---- | C] () -- C:\Documents and Settings\Admin\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/27 18:53:55 | 000,000,028 | ---- | C] () -- C:\WINDOWS\MotionDVSTUDIO.INI
[2009/07/20 21:05:10 | 000,000,118 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/12/22 16:43:10 | 000,000,000 | ---- | C] () -- C:\WINDOWS\webica.ini
[2008/09/02 23:17:48 | 000,007,680 | ---- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/07/05 23:22:32 | 000,000,049 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/06/27 21:43:49 | 000,000,122 | ---- | C] () -- C:\WINDOWS\_vmtxp.INI
[2008/06/27 16:54:44 | 000,001,656 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/06/27 01:34:09 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/06/27 01:04:12 | 000,000,190 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2010/02/14 15:07:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Admin\Application Data\SquirrelWare
[2008/10/27 22:12:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ExtendMedia
[2010/05/16 13:03:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2008/12/11 23:54:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
[2009/10/26 21:56:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panasonic
[2008/08/30 21:15:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/04/21 22:46:10 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{964C8871-6315-4FC5-8A47-F4C420428929}
[2010/09/15 01:00:00 | 000,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2010/09/01 01:00:11 | 000,000,332 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2008/06/25 17:34:10 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/11/09 19:27:06 | 000,000,211 | -HS- | M] () -- C:\Boot.bak
[2010/05/30 08:16:18 | 000,000,281 | -HS- | M] () -- C:\boot.ini
[2004/08/04 00:00:00 | 000,260,272 | ---- | M] () -- C:\cmldr
[2010/09/23 23:03:04 | 000,014,915 | ---- | M] () -- C:\ComboFix.txt
[2008/06/25 17:34:10 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2010/09/03 05:39:32 | 000,000,045 | ---- | M] () -- C:\error.log
[2008/06/27 00:41:46 | 209,715,200 | -HS- | M] () -- C:\gobackio.bin
[2008/06/25 17:34:10 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/01/02 15:11:48 | 000,000,623 | ---- | M] () -- C:\JavaRa.log
[2008/06/25 17:34:10 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/11/08 01:18:01 | 000,001,142 | ---- | M] () -- C:\NTDClient.log
[2004/08/04 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/06/25 18:19:58 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/09/23 05:58:17 | 2145,386,496 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\Fonts\*.com >
[2006/04/18 16:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 15:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 16:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 15:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2008/06/25 17:33:45 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 08:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/03/15 15:32:10 | 000,274,944 | ---- | M] (Hewlett-Packard Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\hpzpp5ha.dll
[2004/03/22 15:17:08 | 000,025,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 06:50:04 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2008/06/25 13:21:06 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/06/25 13:21:06 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/06/25 13:21:06 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2008/06/25 18:22:59 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/05/08 23:18:32 | 000,000,119 | -HS- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2010/01/05 00:25:06 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >
[2010/09/23 20:21:29 | 003,851,266 | R--- | M] () -- C:\Documents and Settings\Admin\Desktop\ComboFix.exe
[2010/09/23 05:57:39 | 000,080,384 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\MBRCheck.exe
[2010/09/23 23:26:03 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\OTL.exe
[2010/05/07 19:29:21 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Admin\Desktop\TFC.exe
[2010/09/22 22:16:08 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Admin\Desktop\v1fr64un.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2010/05/08 23:18:25 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Admin\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2008/06/26 01:07:44 | 000,002,518 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2010/09/23 23:11:59 | 000,049,152 | ---- | M] () -- C:\Documents and Settings\Admin\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 22:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2004/08/04 01:06:34 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >
"NoAutoUpdate" = 0
"AUOptions" = 2
"ScheduledInstallDay" = 0
"ScheduledInstallTime" = 3
"UseWUServer" = 0
"NoAutoRebootWithLoggedOnUsers" = 1
"AutoInstallMinorUpdates" = 0

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< End of report >

llsshopping · 2010/09/25

I did not see an option for the ESET scanner to produce a log, but it did not find any issues.

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee SecurityCenter
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
HijackThis 2.0.2
CCleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.1.82.76
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Reader 9.3.4
Mozilla Firefox (3.6.10) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VIRUSS~1 mcshield.exe
McAfee VIRUSS~1 mcsysmon.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

broni · 2010/09/25

I need a log from OTL fix (after running my script), not a new scan.
Please, re-read my instructions.

Log in or Sign up

Solved Infected again

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

Admin. Administrator Administrator Staff

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Solved Infected again

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

Admin. Administrator Administrator Staff

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

llsshopping Inactive Thread Starter

llsshopping Inactive Thread Starter

broni Moderator Malware Analyst

Share This Page

Useful Searches