Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Google redirect [Solved]

Started by sys123 , May 19 2010 03:15 AM

  • This topic is locked This topic is locked

#1
sys123
Posted 19 May 2010 - 03:15 AM

sys123

    New Member

  • Member
  • Pip
  • 6 posts
I seem to have the Google redirect virus/malware and would really appreciate any help in trying to remove it.

When I do a Google search and click on a resulting link I frequently get redirected to another unrelated site (usually with a URL beginning 'adwords.onlinesecuregroup.com') or an unfamiliar search engine. It does not happen every time and I can get round it by cutting and pasting the search results instead of clicking the links. My computer is also going extremely slowly, mostly when using my browser but also with pretty much everything else too. I am using Internet Explorer as my only browser.

I have read your malware cleaning guide and have taken the following steps so far:

1. Full scan with my McAfee virus scan (nothing found).
2. Downloaded and run Hitman Pro (nothing found).
3. Backed up my registry with ERUNT.
4. Downloaded and run SysRestorePoint.
5. Downloaded and run TFC.
6. Downloaded and run GooRedFix.
7. Downloaded and run TDSSKiller.
8. Run MBAM quick scan (found and removed ten 'infected items' but computer symptoms remain the same - log pasted below).
9. Run GMER (log pasted below).
10. Run OTL (logs pasted below).

I would be really grateful for any help, as I have been struggling with this for a month or more. Thanks.

*****************************

MBAM log


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4113

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

18/05/2010 21:46:11
mbam-log-2010-05-18 (21-46-11).txt

Scan type: Quick scan
Objects scanned: 133735
Time elapsed: 9 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{42f2c9ba-614f-47c0-b3e3-ecfd34eed658} (Adware.ISTBar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\drivers\down (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\drivers\down\26228765.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.


****************************

GMER log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-18 23:09:37
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\MEGANB~1\LOCALS~1\Temp\uxrdapow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF85C4DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF85C4DC4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF85C4DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF85C4E46]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF85C4D9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF85C4D74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF85C4D88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF85C4DDA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF85C4E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF85C4E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF85C4E70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF85C4E5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF85C4E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP F85C4E34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP F85C4DA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80570833 5 Bytes JMP F85C4DB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP F85C4D78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572A6E 7 Bytes JMP F85C4E0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP F85C4E60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP F85C4E4A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP F85C4E74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP F85C4D8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP F85C4DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP F85C4DC8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetSecurityObject 8059B1F3 5 Bytes JMP F85C4E20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP F85C4DDE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? ioaqaco.sys The system cannot find the file specified. !
init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF8A53760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF789FF80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[268] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E72862
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[268] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E726EE
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[268] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E727E0
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[268] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E72726
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[268] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E7275E
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 04880000
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 04880FE5
.text C:\WINDOWS\Explorer.EXE[404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 04880011
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 04870000
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 04870F92
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 04870FA3
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0487007D
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 04870062
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 04870FC0
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 048700D0
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 048700BF
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 04870F4B
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 04870F5C
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 04870F3A
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 04870051
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0487001B
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 048700A2
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 04870FDB
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0487002C
.text C:\WINDOWS\Explorer.EXE[404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 04870F6D
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0486002F
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0486005B
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 04860FD4
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0486000A
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 04860F9E
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 04860FEF
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 04860FB9
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A6, 8C]
.text C:\WINDOWS\Explorer.EXE[404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 04860040
.text C:\WINDOWS\Explorer.EXE[404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 04850FA1
.text C:\WINDOWS\Explorer.EXE[404] msvcrt.dll!system 77C293C7 5 Bytes JMP 04850FB2
.text C:\WINDOWS\Explorer.EXE[404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 04850022
.text C:\WINDOWS\Explorer.EXE[404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 04850000
.text C:\WINDOWS\Explorer.EXE[404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 04850FCD
.text C:\WINDOWS\Explorer.EXE[404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 04850011
.text C:\WINDOWS\Explorer.EXE[404] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0483000A
.text C:\WINDOWS\Explorer.EXE[404] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0483001B
.text C:\WINDOWS\Explorer.EXE[404] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0483002C
.text C:\WINDOWS\Explorer.EXE[404] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0483003D
.text C:\WINDOWS\Explorer.EXE[404] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E62862
.text C:\WINDOWS\Explorer.EXE[404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 04840000
.text C:\WINDOWS\Explorer.EXE[404] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E626EE
.text C:\WINDOWS\Explorer.EXE[404] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E627E0
.text C:\WINDOWS\Explorer.EXE[404] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E62726
.text C:\WINDOWS\Explorer.EXE[404] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E6275E
.text C:\Program Files\McAfee Online Backup\MOBKbackup.exe[424] ws2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 03232862
.text C:\Program Files\McAfee Online Backup\MOBKbackup.exe[424] ws2_32.dll!send 71AB4C27 5 Bytes JMP 032326EE
.text C:\Program Files\McAfee Online Backup\MOBKbackup.exe[424] ws2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 032327E0
.text C:\Program Files\McAfee Online Backup\MOBKbackup.exe[424] ws2_32.dll!recv 71AB676F 5 Bytes JMP 03232726
.text C:\Program Files\McAfee Online Backup\MOBKbackup.exe[424] ws2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0323275E
.text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DA0FE5
.text C:\WINDOWS\system32\svchost.exe[712] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DA0011
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D9005B
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D90F66
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D90F83
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D90F9E
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D9002F
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D90F3F
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D90087
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D90F24
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D900BD
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D900CE
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D90040
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D90FD4
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D9006C
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D9001E
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D90FC3
.text C:\WINDOWS\system32\svchost.exe[712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D900A2
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D8001E
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D80FA8
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D80FCD
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D80FDE
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D80065
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D80054
.text C:\WINDOWS\system32\svchost.exe[712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D80043
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D70F90
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D70FA1
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D70FCD
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D70000
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D70FBC
.text C:\WINDOWS\system32\svchost.exe[712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D70011
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00D50FEF
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00D50FD4
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\svchost.exe[712] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00D50FA8
.text C:\WINDOWS\system32\svchost.exe[712] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D60000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00980FE5
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00980FCA
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0097000A
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00970F9E
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00970093
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0097006C
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0097005B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00970FB9
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00970F6B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00970F7C
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009700E9
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009700D8
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00970F35
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00970040
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0097001B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00970F8D
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00970FD4
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00970F5A
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00960FAF
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00960047
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0096000A
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00960FCA
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0096002C
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00960FE5
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0096001B
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00960F9E
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00070FB7
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00070042
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00070016
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00070027
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00070FD2
.text C:\WINDOWS\system32\services.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1068] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[1068] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00050FDB
.text C:\WINDOWS\system32\services.exe[1068] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00050011
.text C:\WINDOWS\system32\services.exe[1068] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0005002C
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00ED0014
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00ED0FDE
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EC001B
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EC0F30
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EC0F41
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EC0F5E
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EC0F8A
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EC0051
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EC0EFF
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EC007D
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EC0EEE
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EC008E
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EC0F79
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EC0FDB
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EC0036
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EC0FAF
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EC0FC0
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EC0062
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EB0036
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EB0FAC
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EB0011
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EB0FE5
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EB0073
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EB0062
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EB0047
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EA004E
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EA0FC3
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EA0FDE
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EA000C
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EA0029
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\lsass.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E9000A
.text C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1112] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01742862
.text C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1112] WS2_32.dll!send 71AB4C27 5 Bytes JMP 017426EE
.text C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1112] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 017427E0
.text C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1112] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01742726
.text C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1112] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0174275E
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02800000
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02800025
.text C:\WINDOWS\system32\svchost.exe[1236] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02800FE5
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E5007D
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E5006C
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E5005B
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50F9E
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50FAF
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E50F35
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F52
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E50F24
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E500BD
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E50EFF
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E50040
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E50FDB
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E50F63
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E50025
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E50FCA
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E500A2
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DF0FDE
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DF0F9E
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DF0025
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DF005B
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DF004A
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DF0FB9
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DE005D
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DE0042
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DE0FE3
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DE0000
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DE0FC8
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DE001D
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DC0000
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DC0011
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DC0036
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E60FB9
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E60FD4
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50093
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50082
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50FA8
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50065
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E5004A
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E50F6B
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F7C
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E50F2E
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E50F49
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E50F1D
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E50FC3
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E50FDE
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E50F8D
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E50039
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E50014
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E50F5A
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FB9
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40F79
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40040
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E40F9E
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 89] {ADD AL, 0x89}
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40025
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30FC8
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30053
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E3001D
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E30038
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E3000C
.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E10FD4
.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\svchost.exe[1308] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E10FB9
.text C:\WINDOWS\System32\svchost.exe[1428] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 02F9000A
.text C:\WINDOWS\System32\svchost.exe[1428] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02F9002C
.text C:\WINDOWS\System32\svchost.exe[1428] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 02F9001B
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02F80FEF
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02F80F77
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02F8006C
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02F8005B
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02F80FA8
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02F8002F
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02F80089
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02F80F41
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02F800BF
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02F80F26
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02F80F01
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02F8004A
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02F8000A
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02F80F5C
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02F80FC3
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02F80FD4
.text C:\WINDOWS\System32\svchost.exe[1428] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02F800A4
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02F70FC0
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02F70062
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02F70011
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02F70FE5
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02F70FA5
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02F70000
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02F70047
.text C:\WINDOWS\System32\svchost.exe[1428] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02F7002C
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02EA0F97
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!system 77C293C7 5 Bytes JMP 02EA0FA8
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02EA0011
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02EA0000
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02EA0022
.text C:\WINDOWS\System32\svchost.exe[1428] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02EA0FE3
.text C:\WINDOWS\System32\svchost.exe[1428] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02E90000
.text C:\WINDOWS\System32\svchost.exe[1428] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02E80FEF
.text C:\WINDOWS\System32\svchost.exe[1428] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02E80FD4
.text C:\WINDOWS\System32\svchost.exe[1428] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02E8000A
.text C:\WINDOWS\System32\svchost.exe[1428] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 02E80025
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00B00FE5
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00B00011
.text C:\WINDOWS\system32\svchost.exe[1484] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AF0073
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AF0F7E
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AF0058
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AF0F9B
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AF003D
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AF0F35
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AF0F5C
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AF0F09
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AF00A2
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AF00BD
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AF0FC0
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AF0F6D
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AF002C
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AF0011
.text C:\WINDOWS\system32\svchost.exe[1484] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AF0F24
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AE0FDB
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AE0F9E
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AE002C
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AE0011
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AE005B
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AE0FB9
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CE, 88]
.text C:\WINDOWS\system32\svchost.exe[1484] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AE0FCA
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD004C
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0FB7
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD0027
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD0FD2
.text C:\WINDOWS\system32\svchost.exe[1484] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD000C
.text C:\WINDOWS\system32\svchost.exe[1484] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00AB0000
.text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00AB001B
.text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00AB0036
.text C:\WINDOWS\system32\svchost.exe[1484] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00AB0FE5
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1512] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00DC2862
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1512] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00DC26EE
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1512] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00DC27E0
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1512] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00DC2726
.text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[1512] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00DC275E
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1516] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00E42862
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1516] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00E426EE
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1516] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00E427E0
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1516] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00E42726
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1516] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00E4275E
.text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[1524] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B9006F
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90054
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90F86
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90043
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FA8
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F38
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B90080
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900BD
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B900AC
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90F09
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90F97
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F5F
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[1524] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B9009B
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80FD4
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80087
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B80025
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B8006C
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B8000A
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B8005B
.text C:\WINDOWS\system32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80040
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70FB4
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FCF
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B7002E
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B7000C
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70049
.text C:\WINDOWS\system32\svchost.exe[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B7001D
.text C:\WINDOWS\system32\svchost.exe[1524] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[1524] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FD0FE5
.text C:\WINDOWS\system32\svchost.exe[1524] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FD0000
.text C:\WINDOWS\system32\svchost.exe[1524] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FD0FD4
.text C:\WINDOWS\system32\svchost.exe[1524] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FD0025
.text C:\WINDOWS\system32\hkcmd.exe[1544] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D92862
.text C:\WINDOWS\system32\hkcmd.exe[1544] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D926EE
.text C:\WINDOWS\system32\hkcmd.exe[1544] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D927E0
.text C:\WINDOWS\system32\hkcmd.exe[1544] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D92726
.text C:\WINDOWS\system32\hkcmd.exe[1544] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D9275E
.text C:\WINDOWS\system32\igfxpers.exe[1572] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D82862
.text C:\WINDOWS\system32\igfxpers.exe[1572] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D826EE
.text C:\WINDOWS\system32\igfxpers.exe[1572] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D827E0
.text C:\WINDOWS\system32\igfxpers.exe[1572] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D82726
.text C:\WINDOWS\system32\igfxpers.exe[1572] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D8275E
.text C:\Program Files\iTunes\iTunesHelper.exe[1624] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01022862
.text C:\Program Files\iTunes\iTunesHelper.exe[1624] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010226EE
.text C:\Program Files\iTunes\iTunesHelper.exe[1624] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010227E0
.text C:\Program Files\iTunes\iTunesHelper.exe[1624] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01022726
.text C:\Program Files\iTunes\iTunesHelper.exe[1624] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0102275E
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1740] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010A2862
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1740] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010A26EE
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1740] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010A27E0
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1740] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010A2726
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[1740] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010A275E
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1964] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EB2862
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1964] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EB26EE
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1964] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EB27E0
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1964] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EB2726
.text C:\Program Files\CyberLink\Shared Files\RichVideo.exe[1964] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EB275E
.text C:\WINDOWS\System32\svchost.exe[2248] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FEF
.text C:\WINDOWS\System32\svchost.exe[2248] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FCD
.text C:\WINDOWS\System32\svchost.exe[2248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FDE
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F52
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0047
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0036
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F83
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B007D
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F35
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F13
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00AC
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00BD
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F94
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B006C
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0025
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\System32\svchost.exe[2248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F24
.text C:\WINDOWS\System32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A004A
.text C:\WINDOWS\System32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0080
.text C:\WINDOWS\System32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0025
.text C:\WINDOWS\System32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\System32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\System32\svchost.exe[2248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A000A
.text C:\WINDOWS\System32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FDE
.text C:\WINDOWS\System32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\System32\svchost.exe[2248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A005B
.text C:\WINDOWS\System32\svchost.exe[2248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003F0F88
.text C:\WINDOWS\System32\svchost.exe[2248] msvcrt.dll!system 77C293C7 5 Bytes JMP 003F0FAD
.text C:\WINDOWS\System32\svchost.exe[2248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003F0FD2
.text C:\WINDOWS\System32\svchost.exe[2248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003F0000
.text C:\WINDOWS\System32\svchost.exe[2248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003F001D
.text C:\WINDOWS\System32\svchost.exe[2248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003F0FE3
.text C:\WINDOWS\System32\svchost.exe[2248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\System32\svchost.exe[2248] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01110000
.text C:\WINDOWS\System32\svchost.exe[2248] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01110FDB
.text C:\WINDOWS\System32\svchost.exe[2248] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01110FCA
.text C:\WINDOWS\System32\svchost.exe[2248] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01110FAF
.text C:\WINDOWS\system32\svchost.exe[2284] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F10FE5
.text C:\WINDOWS\system32\svchost.exe[2284] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F1001B
.text C:\WINDOWS\system32\svchost.exe[2284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F00F6F
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F00064
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F00F8A
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F00FA5
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F00FC7
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F00F52
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F0009A
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F000D7
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F000C6
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F000F2
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F00FB6
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F0001B
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F0007F
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F0003D
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F0002C
.text C:\WINDOWS\system32\svchost.exe[2284] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F000B5
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EF002C
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EF006C
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EF0FE5
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EF0FAF
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EF0FC0
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0F, 89]
.text C:\WINDOWS\system32\svchost.exe[2284] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EF0047
.text C:\WINDOWS\system32\svchost.exe[2284] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EE0056
.text C:\WINDOWS\system32\svchost.exe[2284] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EE0FC1
.text C:\WINDOWS\system32\svchost.exe[2284] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EE0FD2
.text C:\WINDOWS\system32\svchost.exe[2284] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[2284] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EE0027
.text C:\WINDOWS\system32\svchost.exe[2284] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EE000C
.text C:\WINDOWS\system32\svchost.exe[2284] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[2284] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\svchost.exe[2284] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00EC001B
.text C:\WINDOWS\system32\svchost.exe[2284] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00EC002C
.text C:\WINDOWS\system32\svchost.exe[2284] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\wdfmgr.exe[2396] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00862862
.text C:\WINDOWS\system32\wdfmgr.exe[2396] WS2_32.dll!send 71AB4C27 5 Bytes JMP 008626EE
.text C:\WINDOWS\system32\wdfmgr.exe[2396] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 008627E0
.text C:\WINDOWS\system32\wdfmgr.exe[2396] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00862726
.text C:\WINDOWS\system32\wdfmgr.exe[2396] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0086275E
.text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[2924] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00BE2862
.text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[2924] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00BE26EE
.text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[2924] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00BE27E0
.text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[2924] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00BE2726
.text C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe[2924] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00BE275E
.text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[3024] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01682862
.text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[3024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 016826EE
.text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[3024] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 016827E0
.text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[3024] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01682726
.text C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe[3024] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0168275E
.text C:\WINDOWS\system32\wuauclt.exe[3324] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0009000A
.text C:\WINDOWS\system32\wuauclt.exe[3324] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FCA
.text C:\WINDOWS\system32\wuauclt.exe[3324] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0000
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F94
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0093
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C0076
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0F5C
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C00A4
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0F30
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C00C9
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0F1F
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C005B
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C001B
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F79
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0036
.text C:\WINDOWS\system32\wuauclt.exe[3324] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C0F4B
.text C:\WINDOWS\system32\wuauclt.exe[3324] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0F9E
.text C:\WINDOWS\system32\wuauclt.exe[3324] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0029
.text C:\WINDOWS\system32\wuauclt.exe[3324] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[3324] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3324] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0018
.text C:\WINDOWS\system32\wuauclt.exe[3324] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[3324] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002C0040
.text C:\WINDOWS\system32\wuauclt.exe[3324] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002C0FA8
.text C:\WINDOWS\system32\wuauclt.exe[3324] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002C0025
.text C:\WINDOWS\system32\wuauclt.exe[3324] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002C0014
.text C:\WINDOWS\system32\wuauclt.exe[3324] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002C0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3324] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3324] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002C005B
.text C:\WINDOWS\system32\wuauclt.exe[3324] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002C0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3324] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01040000
.text C:\WINDOWS\system32\wuauclt.exe[3324] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0104001B
.text C:\WINDOWS\system32\wuauclt.exe[3324] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01040FE5
.text C:\WINDOWS\system32\wuauclt.exe[3324] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01040FCA
.text C:\WINDOWS\system32\wuauclt.exe[3324] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01022862
.text C:\WINDOWS\system32\wuauclt.exe[3324] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011C0000
.text C:\WINDOWS\system32\wuauclt.exe[3324] WS2_32.dll!send 71AB4C27 5 Bytes JMP 010226EE
.text C:\WINDOWS\system32\wuauclt.exe[3324] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 010227E0
.text C:\WINDOWS\system32\wuauclt.exe[3324] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01022726
.text C:\WINDOWS\system32\wuauclt.exe[3324] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0102275E
.text C:\Program Files\iPod\bin\iPodService.exe[3916] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B92862
.text C:\Program Files\iPod\bin\iPodService.exe[3916] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B926EE
.text C:\Program Files\iPod\bin\iPodService.exe[3916] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B927E0
.text C:\Program Files\iPod\bin\iPodService.exe[3916] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B92726
.text C:\Program Files\iPod\bin\iPodService.exe[3916] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B9275E

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 8275C1A0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8275C1A0
Device \Driver\atapi \Device\Ide\IdePort1 8275C1A0
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8275C1A0

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- EOF - GMER 1.0.15 ----


**********************

OTL logs

OTL logfile created on: 18/05/2010 23:19:58 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\megan bydder\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

510.00 Mb Total Physical Memory | 171.00 Mb Available Physical Memory | 33.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.70 Gb Total Space | 44.81 Gb Free Space | 62.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 931.51 Gb Total Space | 892.39 Gb Free Space | 95.80% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: UPSTAIRS
Current User Name: megan bydder
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/18 23:18:45 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\megan bydder\Desktop\OTL.exe
PRC - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/04/01 23:05:04 | 001,180,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/02/05 21:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2008/08/22 00:56:48 | 000,536,576 | ---- | M] () -- C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
PRC - [2008/04/14 01:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/08 03:07:31 | 000,491,520 | ---- | M] () -- C:\WINDOWS\twain_32\Samsung\SCX4500W\Scan2Pc.exe
PRC - [2007/06/13 10:15:14 | 000,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2007/04/04 02:50:00 | 001,603,152 | ---- | M] (CANON INC.) -- C:\Program Files\Canon\MyPrinter\BJMYPRT.EXE
PRC - [2004/10/14 19:42:54 | 001,404,928 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\Core\smax4pnp.exe


========== Modules (SafeList) ==========

MOD - [2010/05/18 23:18:45 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\megan bydder\Desktop\OTL.exe
MOD - [2008/04/14 01:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (NMIndexingService)
SRV - File not found [Auto | Stopped] -- -- (MSK80Service)
SRV - File not found [Auto | Stopped] -- -- (0069801274185323mcinstcleanup) McAfee Application Installer Cleanup (0069801274185323)
SRV - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/03/10 11:16:56 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/02/05 21:14:42 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/01/05 18:04:02 | 000,170,144 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2007/03/07 15:47:46 | 000,076,848 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)


========== Driver Services (SafeList) ==========

DRV - [2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/02/05 21:13:48 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/09/16 10:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/04/13 19:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2008/04/13 19:36:39 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 19:36:39 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/11/21 09:45:39 | 000,041,984 | ---- | M] (Samsung Electronics Co., Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\DGIVECP.SYS -- (DgiVecp)
DRV - [2007/02/25 12:10:48 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\dsunidrv.sys -- (dsunidrv)
DRV - [2006/10/05 16:07:28 | 000,004,736 | ---- | M] (Gteko Ltd.) [Kernel | On_Demand | Stopped] -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2004/09/17 14:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2004/08/03 22:29:56 | 001,897,408 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/06/16 03:52:40 | 000,061,157 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC53.sys -- (IntelC53)
DRV - [2004/03/06 04:15:34 | 000,647,929 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC52.sys -- (IntelC52)
DRV - [2004/03/06 04:14:42 | 001,233,525 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\IntelC51.sys -- (IntelC51)
DRV - [2004/03/06 04:13:38 | 000,037,048 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mohfilt.sys -- (mohfilt)
DRV - [2003/10/28 06:32:12 | 000,174,530 | R--- | M] (OmniVision Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ov519vid.sys -- (ovt519)
DRV - [2001/11/25 03:11:54 | 000,081,924 | ---- | M] (FUJI PHOTO FILM CO.,LTD.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\V4CB0115.SYS -- (FINEPIX_PCC)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...m...tf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1

FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/04/21 20:10:48 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2004/08/04 05:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100518132040.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [4500w Scan2PC] C:\WINDOWS\Twain_32\Samsung\SCX4500W\Scan2Pc.exe ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe (CANON INC.)
O4 - HKLM..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe (CANON INC.)
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe File not found
O4 - HKLM..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe ()
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O8 - Extra context menu item: SmarThru4 Capture Selection - C:\Program Files\SmarThru 4\WEBCapture.dll2.htm ()
O8 - Extra context menu item: SmarThru4 Save as HTML - C:\Program Files\SmarThru 4\WEBCapture.dll1.htm ()
O8 - Extra context menu item: SmarThru4 Save Selected Text - C:\Program Files\SmarThru 4\WEBCapture.dll.htm ()
O8 - Extra context menu item: SmarThru4 Web Capture - C:\Program Files\SmarThru 4\WebCapture.dll ()
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.micr...tualEarth3D.cab (Reg Error: Value error.)
O16 - DPF: {20B845BF-450F-4C1E-AF60-3CC380CDE328} http://apps.corel.co...PluginNOSSO.ocx (get_atlcom Class)
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} http://apps.corel.co...IEGetPlugin.ocx (get_atlcom Class)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.aka...vex-2.2.4.1.cab (DLM Control)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcaf...01/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A19F0E9E-D4C2-4A96-8EA7-0F64A9B2643F} http://www.pi.nhs.uk...leCalc515uk.cab (CentileCalc515UK.Calc)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcaf...,23/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} https://www.tescopho...opcuploader.cab (Image Uploader 3.0 Control)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.ma...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\megan bydder\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\megan bydder\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 13:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{98dd1a18-a1fe-11dd-8fd4-0013200fbfa6}\Shell - "" = AutoRun
O33 - MountPoints2\{98dd1a18-a1fe-11dd-8fd4-0013200fbfa6}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{98dd1a18-a1fe-11dd-8fd4-0013200fbfa6}\Shell\AutoRun\command - "" = F:\DTSP_Launcher.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2004/08/10 12:52:56 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/18 23:18:41 | 000,571,392 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\megan bydder\Desktop\OTL.exe
[2010/05/18 21:35:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\megan bydder\Application Data\Malwarebytes
[2010/05/18 21:35:25 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/18 21:35:24 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/18 21:35:23 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/18 21:35:23 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/18 16:35:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\megan bydder\Desktop\tdsskiller
[2010/05/18 16:33:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\megan bydder\Desktop\GooredFix Backups
[2010/05/18 13:46:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\megan bydder\Desktop\SysRestorePoint_v13
[2010/05/18 13:41:12 | 000,444,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\megan bydder\Desktop\TFC.exe
[2010/05/18 13:40:32 | 000,070,858 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\megan bydder\Desktop\GooredFix.exe
[2010/05/18 13:31:47 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/04/26 16:48:14 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/26 16:38:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/04/26 16:38:30 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/04/16 19:31:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/16 19:30:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Google
[2010/04/16 19:26:18 | 000,000,000 | ---D | C] -- C:\Program Files\McAfeeMOBK
[2010/04/16 19:25:56 | 000,054,776 | ---- | C] (Mozy, Inc.) -- C:\WINDOWS\System32\drivers\MOBK.sys
[2010/04/16 19:25:25 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Online Backup
[2010/04/16 19:22:46 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/04/16 19:00:35 | 000,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2010/04/15 20:31:27 | 000,009,344 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/04/15 20:31:04 | 000,385,880 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2010/04/15 20:31:04 | 000,312,616 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/04/15 20:31:04 | 000,152,320 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/04/15 20:31:04 | 000,095,568 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2010/04/15 20:31:04 | 000,088,480 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/04/15 20:31:04 | 000,083,496 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/04/15 20:31:04 | 000,082,952 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/04/15 20:31:04 | 000,055,456 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/04/15 20:31:04 | 000,051,688 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/02/18 22:44:24 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump

========== Files - Modified Within 90 Days ==========

[2010/05/18 23:18:45 | 000,571,392 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\megan bydder\Desktop\OTL.exe
[2010/05/18 23:12:04 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Internet Security.lnk
[2010/05/18 23:12:00 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/18 23:11:54 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/05/18 23:11:34 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/18 23:11:28 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/18 23:11:28 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/18 23:11:24 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/18 23:11:23 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/18 23:07:01 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/18 22:01:23 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\megan bydder\Desktop\gmer.exe
[2010/05/18 21:48:22 | 008,388,608 | ---- | M] () -- C:\Documents and Settings\megan bydder\ntuser.dat
[2010/05/18 21:47:48 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\megan bydder\ntuser.ini
[2010/05/18 21:47:27 | 003,771,986 | -H-- | M] () -- C:\Documents and Settings\megan bydder\Local Settings\Application Data\IconCache.db
[2010/05/18 13:45:46 | 000,009,334 | ---- | M] () -- C:\Documents and Settings\megan bydder\Desktop\SysRestorePoint_v13.zip
[2010/05/18 13:41:14 | 000,444,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\megan bydder\Desktop\TFC.exe
[2010/05/18 13:40:55 | 000,949,152 | ---- | M] () -- C:\Documents and Settings\megan bydder\Desktop\tdsskiller.zip
[2010/05/18 13:40:33 | 000,070,858 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\megan bydder\Desktop\GooredFix.exe
[2010/05/18 13:02:57 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/30 18:30:00 | 000,000,364 | ---- | M] () -- C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (DF14BL1J-megan bydder).job
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/04/27 17:16:24 | 000,009,344 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/04/26 17:01:09 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\WINDOWS\System32\bootdelete.exe
[2010/04/26 16:55:59 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/26 16:31:18 | 000,000,916 | -HS- | M] () -- C:\Documents and Settings\megan bydder\Local Settings\Application Data\b08620CF7A25y
[2010/04/26 16:31:18 | 000,000,916 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\b08620CF7A25y
[2010/04/21 17:58:00 | 000,001,184 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\8Ubu0B6G7
[2010/04/21 17:57:59 | 000,001,184 | -HS- | M] () -- C:\Documents and Settings\megan bydder\Local Settings\Application Data\8Ubu0B6G7
[2010/04/16 19:05:23 | 000,000,135 | ---- | M] () -- C:\Documents and Settings\megan bydder\Local Settings\Application Data\fusioncache.dat
[2010/04/15 22:22:41 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/03/28 17:38:24 | 000,445,370 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/28 17:38:23 | 000,072,576 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/28 17:38:19 | 000,528,020 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/21 13:05:53 | 000,152,064 | ---- | M] () -- C:\Documents and Settings\megan bydder\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/03/18 15:08:12 | 000,006,148 | -H-- | M] () -- C:\Documents and Settings\megan bydder\My Documents\.DS_Store
[2010/03/18 10:41:45 | 000,029,128 | ---- | M] () -- C:\Documents and Settings\megan bydder\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/03/01 09:51:40 | 000,001,503 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/02/20 09:51:41 | 000,006,148 | -H-- | M] () -- C:\Documents and Settings\All Users\Documents\.DS_Store
[2010/02/20 00:27:14 | 000,145,216 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/02/19 23:47:30 | 000,000,029 | ---- | M] () -- C:\WINDOWS\videoimp.ini
[2010/02/19 22:13:22 | 000,000,285 | ---- | M] () -- C:\Documents and Settings\megan bydder\Desktop\Shortcut to External Hard Drive.lnk

========== Files Created - No Company Name ==========

[2010/05/18 19:47:12 | 534,827,008 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/18 13:45:43 | 000,009,334 | ---- | C] () -- C:\Documents and Settings\megan bydder\Desktop\SysRestorePoint_v13.zip
[2010/05/18 13:40:48 | 000,949,152 | ---- | C] () -- C:\Documents and Settings\megan bydder\Desktop\tdsskiller.zip
[2010/05/06 08:30:00 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Internet Security.lnk
[2010/04/26 16:39:33 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/04/26 16:38:31 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/04/26 16:31:17 | 000,000,916 | -HS- | C] () -- C:\Documents and Settings\megan bydder\Local Settings\Application Data\b08620CF7A25y
[2010/04/26 16:31:17 | 000,000,916 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\b08620CF7A25y
[2010/04/21 17:57:59 | 000,001,184 | -HS- | C] () -- C:\Documents and Settings\megan bydder\Local Settings\Application Data\8Ubu0B6G7
[2010/04/21 17:57:59 | 000,001,184 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\8Ubu0B6G7
[2010/04/16 19:05:23 | 000,000,135 | ---- | C] () -- C:\Documents and Settings\megan bydder\Local Settings\Application Data\fusioncache.dat
[2010/03/01 09:51:40 | 000,001,503 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Browser Choice.lnk
[2010/02/20 09:51:26 | 000,006,148 | -H-- | C] () -- C:\Documents and Settings\All Users\Documents\.DS_Store
[2010/02/19 22:13:22 | 000,000,285 | ---- | C] () -- C:\Documents and Settings\megan bydder\Desktop\Shortcut to External Hard Drive.lnk
[2009/01/13 15:24:51 | 000,172,032 | ---- | C] () -- C:\WINDOWS\System32\SecSNMP.dll
[2009/01/13 15:24:29 | 000,000,124 | ---- | C] () -- C:\WINDOWS\Readiris.ini
[2009/01/13 15:24:22 | 000,023,040 | ---- | C] () -- C:\WINDOWS\System32\irisco32.dll
[2009/01/06 19:24:12 | 000,265,216 | R--- | C] () -- C:\WINDOWS\System32\Sswiadrv.dll
[2009/01/06 19:24:12 | 000,139,776 | R--- | C] () -- C:\WINDOWS\System32\WIAEH.dll
[2009/01/06 19:24:12 | 000,138,240 | R--- | C] () -- C:\WINDOWS\System32\Ssuiext.dll
[2009/01/06 19:24:12 | 000,116,736 | R--- | C] () -- C:\WINDOWS\System32\WIAIPH.dll
[2009/01/06 19:24:12 | 000,087,040 | R--- | C] () -- C:\WINDOWS\System32\WIASTIIO.dll
[2009/01/06 19:23:53 | 000,022,723 | ---- | C] () -- C:\WINDOWS\System32\ssw1ml3.dll
[2008/09/09 10:12:20 | 000,000,265 | ---- | C] () -- C:\WINDOWS\xvport.ini
[2008/04/26 20:55:37 | 000,000,062 | ---- | C] () -- C:\WINDOWS\pcvcdbr.INI
[2008/04/26 20:55:34 | 000,000,000 | ---- | C] () -- C:\WINDOWS\pcvcdvw.INI
[2007/08/05 22:32:04 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/01/04 16:09:59 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Title.INI
[2006/10/19 18:00:27 | 000,000,028 | ---- | C] () -- C:\WINDOWS\MotionDVSTUDIO.INI
[2006/08/17 09:51:10 | 000,000,104 | RHS- | C] () -- C:\WINDOWS\System32\F8F6A4C789.sys
[2006/08/17 09:32:35 | 000,003,350 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2005/04/13 21:21:39 | 000,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2005/04/13 18:02:08 | 000,000,029 | ---- | C] () -- C:\WINDOWS\videoimp.ini
[2005/04/13 18:02:02 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll
[2005/04/13 17:53:10 | 000,001,029 | ---- | C] () -- C:\WINDOWS\maxlink.ini
[2005/04/13 17:51:49 | 000,000,663 | ---- | C] () -- C:\WINDOWS\fe.INI
[2005/04/13 17:24:20 | 000,040,448 | ---- | C] () -- C:\WINDOWS\System32\regobj.dll
[2005/04/13 17:13:10 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/08 16:38:20 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/04/08 16:36:14 | 000,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/04/08 16:11:34 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/04/08 16:11:04 | 000,000,375 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/08/10 13:12:05 | 000,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 13:01:18 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/01/08 16:57:34 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Jpeg32.dll

========== LOP Check ==========

[2006/01/13 15:45:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund Software
[2008/02/22 18:42:14 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2010/04/26 16:48:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2006/10/19 16:09:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Panasonic
[2006/01/13 15:57:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Riverdeep Interactive Learning Limited
[2005/04/13 17:54:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ScanSoft
[2008/05/02 21:15:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TDK
[2010/02/20 00:18:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tesco Photobook Creator
[2005/04/08 16:32:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2008/02/22 19:08:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\megan bydder\Application Data\Canon
[2008/03/02 10:52:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\megan bydder\Application Data\CD-LabelPrint
[2005/06/30 11:09:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\megan bydder\Application Data\FileMaker
[2005/04/13 18:04:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\megan bydder\Application Data\FUJIFILM
[2005/05/15 16:46:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\megan bydder\Application Data\Leadertech
[2005/04/14 15:48:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\megan bydder\Application Data\MSNInstaller
[2009/01/13 15:25:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\megan bydder\Application Data\SmarThru4
[2007/06/15 17:01:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\megan bydder\Application Data\Viewpoint

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2004/08/10 13:04:08 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2005/04/13 15:29:30 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2004/08/10 13:04:08 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2005/04/08 16:13:34 | 000,003,749 | RH-- | M] () -- C:\dell.sdr
[2010/05/18 23:11:23 | 534,827,008 | -HS- | M] () -- C:\hiberfil.sys
[2005/04/13 17:08:24 | 000,004,128 | ---- | M] () -- C:\INFCACHE.1
[2004/08/10 13:04:08 | 000,000,000 | -H-- | M] () -- C:\IO.SYS
[2005/04/08 16:33:03 | 000,000,799 | -H-- | M] () -- C:\IPH.PH
[2004/08/10 13:04:08 | 000,000,000 | -H-- | M] () -- C:\MSDOS.SYS
[2004/08/04 05:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/05/15 09:46:20 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/18 23:11:22 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2010/05/18 16:38:01 | 000,046,718 | ---- | M] () -- C:\TDSSKiller.2.3.0.0_18.05.2010_16.36.01_log.txt
[2010/05/18 17:12:30 | 000,046,714 | ---- | M] () -- C:\TDSSKiller.2.3.0.0_18.05.2010_17.10.59_log.txt
[2010/05/18 19:44:55 | 000,046,714 | ---- | M] () -- C:\TDSSKiller.2.3.0.0_18.05.2010_19.43.40_log.txt

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2004/08/10 12:56:48 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/10 12:56:46 | 000,634,880 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/10 12:56:46 | 000,872,448 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /180 >
[2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\cfwids.sys
[2010/05/18 13:02:57 | 000,015,944 | ---- | M] () -- C:\WINDOWS\system32\drivers\hitmanpro35.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeapfk.sys
[2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys
[2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys
[2010/04/27 17:16:24 | 000,009,344 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeclnk.sys
[2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfefirek.sys
[2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys
[2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfendisk.sys
[2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdet.sys
[2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys
[2010/02/05 21:13:48 | 000,054,776 | ---- | M] (Mozy, Inc.) -- C:\WINDOWS\system32\drivers\MOBK.sys
[2010/02/24 14:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2009/12/31 17:50:03 | 000,353,792 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\srv.sys
[2010/02/11 13:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys
< End of report >


OTL Extras logfile created on: 18/05/2010 23:19:58 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\megan bydder\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

510.00 Mb Total Physical Memory | 171.00 Mb Available Physical Memory | 33.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 71.70 Gb Total Space | 44.81 Gb Free Space | 62.49% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 931.51 Gb Total Space | 892.39 Gb Free Space | 95.80% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: UPSTAIRS
Current User Name: megan bydder
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 1
"FirewallOverride" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 1
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"5942:TCP" = 5942:TCP:*:Enabled:Services
"5943:TCP" = 5943:TCP:*:Enabled:Services
"3427:TCP" = 3427:TCP:*:Enabled:Services
"5354:TCP" = 5354:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"3246:TCP" = 3246:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"5942:TCP" = 5942:TCP:*:Enabled:Services
"5943:TCP" = 5943:TCP:*:Enabled:Services
"3427:TCP" = 3427:TCP:*:Enabled:Services
"5354:TCP" = 5354:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\WINDOWS\twain_32\Samsung\SCX4500W\Sscan2io.exe" = C:\WINDOWS\twain_32\Samsung\SCX4500W\Sscan2io.exe:*:Enabled:SScanToIO -- ()
"C:\WINDOWS\twain_32\Samsung\SCX4500W\Scan2Pc.exe" = C:\WINDOWS\twain_32\Samsung\SCX4500W\Scan2Pc.exe:*:Enabled:ScanToPC -- ()
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- File not found
"C:\Program Files\Skype\Phone\Skype.exe" = C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype -- File not found
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4500_series" = Canon iP4500 series
"{14D08502-FEE4-40E5-90D3-8A967A1D8BA2}" = Readiris Pro 10
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{18388EF8-E0A3-442B-8BFE-E2F1B3D05C91}" = iTunes
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = DVD Suite
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 20
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{3248F0A8-6813-11D6-A77B-00B0D0150110}" = J2SE Runtime Environment 5.0 Update 11
"{3248F0A8-6813-11D6-A77B-00B0D0160010}" = Java™ SE Runtime Environment 6 Update 1
"{3248F0A8-6813-11D6-A77B-00B0D0160020}" = Java™ 6 Update 2
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows 2005-03-23
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{7148F0A8-6813-11D6-A77B-00B0D0142030}" = Java 2 Runtime Environment, SE v1.4.2_03
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{90F1943D-EA4A-4460-B59F-30023F3BA69A}" = SmarThru 4
"{91120409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Standard Edition 2003
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A81200000003}" = Adobe Reader 8.1.2
"{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}" = Apple Software Update
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{E0D51394-1D45-460A-B62D-383BC4F8B335}" = QuickTime
"{E1180142-3B31-4DCC-9D27-7AC2D37662BF}" = LightScribe 1.4.124.1
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"btbb.MCCInstall" = BT Broadband Help
"Canon iP4500 series User Registration" = Canon iP4500 series User Registration
"CanonMyPrinter" = Canon My Printer
"CanonSolutionMenu" = Canon Utilities Solution Menu
"ERUNT_is1" = ERUNT 1.1j
"Google Updater" = Google Updater
"HitmanPro35" = Hitman Pro 3.5
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"ie8" = Windows Internet Explorer 8
"InstallShield_{44A537A5-859C-43A6-8285-C0668142A090}" = iPod for Windows 2005-03-23
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"McAfee Uninstall Utility" = McAfee Uninstall Wizard
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"MSC" = McAfee Internet Security
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"PB-WC100 USB Camera" = PB-WC100 USB Camera
"PROSet" = Intel® PRO Network Adapters and Drivers
"RealPlayer 6.0" = RealPlayer
"Samsung SCX-4500W Series" = Samsung SCX-4500W Series
"Shockwave" = Shockwave
"StreetPlugin" = Learn2 Player (Uninstall Only)
"ViewpointMediaPlayer" = Viewpoint Media Player
"WebPost" = Microsoft Web Publishing Wizard 1.52
"WIC" = Windows Imaging Component
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/05/2010 06:20:08 | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 11/05/2010 06:20:09 | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 11/05/2010 06:20:09 | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 11/05/2010 06:20:28 | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 11/05/2010 06:20:28 | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 18/05/2010 07:42:21 | Computer Name = UPSTAIRS | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: This operation returned because the timeout period expired.

Error - 18/05/2010 08:47:08 | Computer Name = UPSTAIRS | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 sysrestorepoint.exe, P2 1.3.0.0, P3 485da791,
P4 microsoft.visualbasic, P5 8.0.0.0, P6 4889f422, P7 5e, P8 1e1, P9 34ssps20bdj3nj0wmit5kamzhvglfzcc,
P10 NIL.

Error - 18/05/2010 08:47:27 | Computer Name = UPSTAIRS | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 sysrestorepoint.exe, P2 1.3.0.0, P3 485da791,
P4 microsoft.visualbasic, P5 8.0.0.0, P6 4889f422, P7 5e, P8 1e1, P9 34ssps20bdj3nj0wmit5kamzhvglfzcc,
P10 NIL.

Error - 18/05/2010 08:47:44 | Computer Name = UPSTAIRS | Source = .NET Runtime 2.0 Error Reporting | ID = 5000
Description = EventType clr20r3, P1 sysrestorepoint.exe, P2 1.3.0.0, P3 485da791,
P4 microsoft.visualbasic, P5 8.0.0.0, P6 4889f422, P7 5e, P8 1e1, P9 34ssps20bdj3nj0wmit5kamzhvglfzcc,
P10 NIL.

Error - 18/05/2010 17:07:34 | Computer Name = UPSTAIRS | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, faulting module
gmer.exe, version 1.0.15.15281, fault address 0x0000c4b1.

[ System Events ]
Error - 18/05/2010 16:49:44 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
IntelIde

Error - 18/05/2010 18:10:02 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7034
Description = The McAfee Online Backup service terminated unexpectedly. It has
done this 1 time(s).

Error - 18/05/2010 18:10:24 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7034
Description = The McAfee SiteAdvisor Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 18/05/2010 18:10:24 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7031
Description = The McAfee Personal Firewall service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 18/05/2010 18:10:24 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7031
Description = The McAfee Services service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 18/05/2010 18:10:24 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7031
Description = The McAfee VirusScan Announcer service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 18/05/2010 18:10:24 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7031
Description = The McAfee Network Agent service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 18/05/2010 18:10:24 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7031
Description = The McAfee Proxy Service service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 18/05/2010 18:12:04 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7000
Description = The McAfee Anti-Spam Service service failed to start due to the following
error: %%2

Error - 18/05/2010 18:12:04 | Computer Name = UPSTAIRS | Source = Service Control Manager | ID = 7000
Description = The SSPORT service failed to start due to the following error: %%2


< End of report >

Thanks again for your time.
  • 0

Advertisements

#2
Rorschach112
Posted 19 May 2010 - 05:24 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.


*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).
  • 0

#3
sys123
Posted 19 May 2010 - 06:32 AM

sys123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks so much for your help with this.

I ran the HelpAsst tool which did report an mbr infection - I have pasted the log below and will await your instructions.

*******************

C:\Documents and Settings\megan bydder\Desktop\HelpAsst_mebroot_fix.exe
19/05/2010 at 12:49:12.04

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
Remove on reboot: C:\WINDOWS\system32\termsrv32.dll

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-
"5942:TCP"=-
"5943:TCP"=-
"3427:TCP"=-
"5354:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"2479:TCP"=-
"3246:TCP"=-
"3389:TCP"=-
"5942:TCP"=-
"5943:TCP"=-
"3427:TCP"=-
"5354:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-4154564019-1329677279-1632885254-1005
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

mbr infection detected! ~ running mbr -f

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8283d2e8
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x823e08f0
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
original MBR restored successfully !

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8283d2e8
NDIS: Intel® PRO/100 VE Network Connection -> SendCompleteHandler -> 0x823e08f0
Warning: possible MBR rootkit infection !
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !
Use "Recovery Console" command "fixmbr" to clear infection !

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 19/05/2010 at 13:16:01.45

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x094FE9BD
malicious code @ sector 0x094FE9C0 !
PE file found in sector at 0x094FE9D6 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~
  • 0

#4
Rorschach112
Posted 19 May 2010 - 07:23 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.




Download ComboFix here :

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Here is a guide on how to disable them

    Click me

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.
  • 0

#5
sys123
Posted 19 May 2010 - 08:51 AM

sys123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for your reply. I have downloaded and run Combofix (log pasted below) and will await your further advice. Could I also ask a couple of questions in the meantime?

1. I have another PC on my home network which has only been used a handful of times in the past 6 months. Should I assume this is also infected and if so, should I go through all the same steps with this computer, or just go straight in with the stages you have advised before ie HelpAsst_mebroot_fix.exe and Combofix?

2. Do the logs give any indication of how long the infection might have been present on the computer?

Thanks again for all your help, I really appreciate it.

***************************

Combofix log

ComboFix 10-05-17.05 - megan bydder 19/05/2010 15:26:20.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.272 [GMT 1:00]
Running from: c:\documents and settings\megan bydder\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-04-19 to 2010-05-19 )))))))))))))))))))))))))))))))
.

2010-05-19 13:16 . 2010-05-19 13:16 -------- d-----w- c:\windows\LastGood
2010-05-19 11:49 . 2010-05-19 11:49 -------- d-----w- C:\HelpAsst_backup
2010-05-18 20:35 . 2010-05-18 20:35 -------- d-----w- c:\documents and settings\megan bydder\Application Data\Malwarebytes
2010-05-18 20:35 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-18 20:35 . 2010-05-18 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-18 20:35 . 2010-05-18 20:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-18 20:35 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-18 12:31 . 2010-05-18 12:31 -------- d-----w- c:\program files\ERUNT
2010-04-26 15:48 . 2010-04-26 16:01 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-04-26 15:39 . 2010-05-19 12:08 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-26 15:38 . 2010-04-26 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-26 15:38 . 2010-04-26 15:38 -------- d-----w- c:\program files\Hitman Pro 3.5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-19 12:44 . 2009-01-25 16:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-04-27 16:16 . 2010-04-15 19:31 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-04-27 16:16 . 2010-04-15 19:31 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-04-27 16:16 . 2010-04-15 19:31 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-04-27 16:16 . 2010-04-15 19:31 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-04-27 16:16 . 2010-04-15 19:31 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-04-27 16:16 . 2010-04-15 19:31 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-04-27 16:16 . 2010-04-15 19:31 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 16:16 . 2010-04-15 19:31 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 16:16 . 2010-04-15 19:31 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-04-27 16:16 . 2010-04-15 19:31 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-16 18:31 . 2005-04-08 15:26 -------- d-----w- c:\program files\Common Files\Java
2010-04-16 18:30 . 2005-04-13 16:47 -------- d-----w- c:\program files\Google
2010-04-16 18:30 . 2010-04-16 18:30 503808 ----a-w- c:\documents and settings\megan bydder\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-21e74340-n\msvcp71.dll
2010-04-16 18:30 . 2010-04-16 18:30 499712 ----a-w- c:\documents and settings\megan bydder\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-21e74340-n\jmc.dll
2010-04-16 18:30 . 2010-04-16 18:30 348160 ----a-w- c:\documents and settings\megan bydder\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-21e74340-n\msvcr71.dll
2010-04-16 18:30 . 2010-04-16 18:30 61440 ----a-w- c:\documents and settings\megan bydder\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-75939ceb-n\decora-sse.dll
2010-04-16 18:30 . 2010-04-16 18:30 12800 ----a-w- c:\documents and settings\megan bydder\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-75939ceb-n\decora-d3d.dll
2010-04-16 18:29 . 2005-04-08 15:26 -------- d-----w- c:\program files\Java
2010-04-16 18:27 . 2008-08-15 19:35 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-16 18:26 . 2006-07-17 16:22 -------- d-----w- c:\program files\McAfee
2010-04-16 18:26 . 2010-04-16 18:26 -------- d-----w- c:\program files\McAfeeMOBK
2010-04-16 18:25 . 2010-04-16 18:25 -------- d-----w- c:\program files\McAfee Online Backup
2010-04-16 18:23 . 2008-08-15 19:48 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-16 18:22 . 2010-04-16 18:22 -------- d-----w- c:\program files\McAfee.com
2010-04-16 18:05 . 2010-04-16 18:05 135 ----a-w- c:\documents and settings\megan bydder\Local Settings\Application Data\fusioncache.dat
2010-04-14 19:08 . 2009-11-07 20:48 79488 ----a-w- c:\documents and settings\megan bydder\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-04-12 16:29 . 2010-04-16 18:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-03-18 09:41 . 2005-04-25 21:12 29128 ----a-w- c:\documents and settings\megan bydder\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2004-08-10 11:51 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-08-10 11:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2004-08-10 11:51 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2007-04-21 09:07 . 2007-04-21 09:07 104576 ----a-w- c:\program files\MF
2008-05-21 21:06 . 2006-08-17 08:51 104 --sh--r- c:\windows\system32\F8F6A4C789.sys
2008-05-21 21:06 . 2006-08-17 08:32 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-02-05 20:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-02-05 20:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-02-05 20:14 2871608 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-12-11 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"4500w Scan2PC"="c:\windows\Twain_32\Samsung\SCX4500W\Scan2Pc.exe" [2008-01-08 491520]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-21 536576]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-04-28 5937984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\SCX4500W\\Sscan2io.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\SCX4500W\\Scan2Pc.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [15/04/2010 20:31 82952]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [16/04/2010 19:25 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [15/04/2010 20:30 271480]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [15/04/2010 20:30 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [15/04/2010 20:30 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [16/04/2010 19:23 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [15/04/2010 20:31 141792]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [05/02/2010 21:14 229688]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [15/04/2010 20:31 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [15/04/2010 20:31 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [15/04/2010 20:31 88480]
S2 0049771274275019mcinstcleanup;McAfee Application Installer Cleanup (0049771274275019);c:\windows\TEMP\004977~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\004977~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/12/2009 19:33 135664]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [15/04/2010 20:31 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [15/04/2010 20:31 83496]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-19 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 19:25]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 18:33]

2010-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-30 18:33]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.btbroadbandstart.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: SmarThru4 Capture Selection - c:\program files\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\SmarThru 4\WebCapture.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {A19F0E9E-D4C2-4A96-8EA7-0F64A9B2643F} - hxxp://www.pi.nhs.uk/download/cab/CentileCalc515uk.cab
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-PCMService - c:\program files\Dell\Media Experience\PCMService.exe
HKU-Default-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
AddRemove-McAfee Uninstall Utility - c:\progra~1\McAfee.com\Shared\mcappins.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-19 15:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(156)
c:\windows\system32\WININET.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-05-19 15:42:01
ComboFix-quarantined-files.txt 2010-05-19 14:41

Pre-Run: 47,850,881,024 bytes free
Post-Run: 47,850,786,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 6C0DA97C143B9CA2CADB5168E7A80A0F
  • 0

#6
Rorschach112
Posted 19 May 2010 - 09:31 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
run mbam on the other machine, if it finds anything make a new topic for it here


cant tell how long the infection has been there


Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

  • 0

#7
sys123
Posted 20 May 2010 - 12:26 AM

sys123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks again for your reply. Sorry taken so long, but had problems running Kaspersky, as McAfee kept restarting even though I had disabled it. Eventually uninstalled McAfee and ran Kaspersky overnight.

MBAM and Kaspersky logs pasted below.

*********************
MBAM log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4117

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19/05/2010 16:48:31
mbam-log-2010-05-19 (16-48-31).txt

Scan type: Quick scan
Objects scanned: 124513
Time elapsed: 7 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

****************************
Kaspersky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, May 20, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, May 19, 2010 15:03:13
Records in database: 4134826
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Objects scanned: 101108
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 03:03:24


File name / Threat / Threats count
C:\HelpAsst_backup\C\DOCUME~1\HELPAS~1\Local Settings\Temporary Internet Files\Content.IE5\NMAWLGJ2\geticon[1].pdf Infected: Exploit.JS.Pdfka.cic 1
C:\WINDOWS\Options\Install\select.exe Infected: not-a-virus:Monitor.Win32.PCRecord.an 1

Selected area has been scanned.

*************************************
  • 0

#8
Rorschach112
Posted 20 May 2010 - 05:08 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean


Follow these steps to uninstall Combofix and tools used in the removal of malware

Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
    Posted Image
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.



  • Open OTL
  • Under the Custom Scans/Fixes box at the bottom, paste the following:
    :Commands
[clearallrestorepoints]
  • Click the Run Fix button at the top
  • It might ask you to reboot, if so click YES



  • Open OTL to run it. (Vista users, right click on OTL and "Run as administrator")
  • Click on the CleanUp button.
  • Click Yes to begin the cleanup process and remove tools, including this application
  • You may be asked to reboot the machine to finish the cleanup process - if so, choose Yes



  • Please read my guide on how to prevent malware and about safe computing here
Thank you for your patience, and performing all of the procedures requested.
  • 0

#9
sys123
Posted 20 May 2010 - 12:13 PM

sys123

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Have done everything you suggested - am delighted to be rid of this infection.

Just want to say thank you so much for your help with this, I really appreciate all that you do here. :)
  • 0

#10
Rorschach112
Posted 20 May 2010 - 02:06 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP