Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I can’t figure out what this Virus is

Started by whynot53 , May 30 2010 06:43 AM

  • This topic is locked This topic is locked

#1
whynot53
Posted 30 May 2010 - 06:43 AM

whynot53

    Member

  • Member
  • PipPip
  • 41 posts
I have been getting this strange little popup that has the icons of any program that I have open at the time with a blue ring that alternately flashes around each icon. When it is doing this I’m unable to operate or close those programs or open any other programs or windows. It pops up very randomly and sometimes I can go for days or even weeks between outbreaks. I have not been able to figure out any pattern to the outbreaks or anything that triggers them. I don’t get any messages from it or website redirects.
It does seem to run in the background and do screwy little things like the mouse right click menu will suddenly appear, Firefox will suddenly open to my homepage but all the icons won’t work and the other day, in the Audio Master Volume Control, when I would try to move the slider, to increase the volume, it would just keep drifting back to zero. It has launched the Microsoft Outlook Setup Program a couple of times. I don’t use Outlook, I use Thunderbird for email.
I have to reboot in order to stop it and then wait until it pops up again. When it is active I’m able to Ctrl, Alt, Del to start Windows Task Manager. It locks up all the Pull Down Menus, in Task Manager, but I am able to use the Tabs and End Task Icon. I checked the Applications and Processes tabs and found nothing unusual. I have tried ending all the running applications and then ending the running Processes, one by one, to see if I could find an association but have had no luck. I was able to get Process Explorer started once during an outbreak but found nothing unusual. I wish I could get a Screen Shot of it, during an outbreak, to show you the popup but I have not been able to so far.
McAfee AntiVirus Plus is my regular Antivirus and Firewall. I always keep my Microsoft Updated.
When I run TFC it seems to disable it somewhat. My computer runs better for awhile and the outbreaks don’t happen for awhile.
I have searched the Internet and your Forum and have not been able to find any info that resembles my problem. I have run many scan programs and they all have come up with nothing.

Programs that I have used-

a-squared
Advanced System Protector
Anti-Vir
Avast!
BitDefender
ESET
File Research Center
Kaspersky Virus Removal Tool
MBAM
McAfee AntiVirus Plus
Panda ActiveScan
Sophos Anti-Rootkit
Sophos Threat Detection Test
Spybot - Search & Destroy
SUPERAntiSpyware
Symantec
Trend Micro HouseCall
USEC Radix

P.S. - I composed all of this in Microsoft Word so that I could just paste it into my post. When I finished running OTL and tried to open this Word file, so I could start pasting, I received a BSOD. I rebooted and everything seems fine.

I have followed the steps in the Malware and Spyware Cleaning Guide. The MBAM, GMER and OTL logs are listed below-

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4155

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/30/2010 1:42:20 AM
mbam-log-2010-05-30 (01-42-20).txt

Scan type: Quick scan
Objects scanned: 127565
Time elapsed: 11 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-30 03:38:30
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF76AFDB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF76AFDC4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF76AFDF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF76AFE46]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF76AFD9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF76AFD74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF76AFD88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF76AFDDA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF76AFE1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF76AFE06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF76AFE70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF76AFE5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF76AFE30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EB6 7 Bytes JMP F76AFE34 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D48 5 Bytes JMP F76AFDA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 80570833 5 Bytes JMP F76AFDB4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805719AC 5 Bytes JMP F76AFD78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572A6E 7 Bytes JMP F76AFE0A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805738C6 5 Bytes JMP F76AFE60 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573D41 7 Bytes JMP F76AFE4A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805824CC 5 Bytes JMP F76AFE74 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058E5C4 5 Bytes JMP F76AFD8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D64 7 Bytes JMP F76AFDF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 80595316 7 Bytes JMP F76AFDC8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetSecurityObject 8059B1F3 5 Bytes JMP F76AFE20 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064EAEA 7 Bytes JMP F76AFDDE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\Drivers\PROCEXP141.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0090001E
.text C:\WINDOWS\System32\svchost.exe[448] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00900FDE
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB009D
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB008C
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0FB2
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB0FC3
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0040
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB00D5
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB00B8
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F57
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F72
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BB0101
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BB0065
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BB0F8D
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BB0025
.text C:\WINDOWS\System32\svchost.exe[448] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BB00E6
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BA001E
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BA0054
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BA0F97
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BA0FB2
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DA, 88]
.text C:\WINDOWS\System32\svchost.exe[448] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BA002F
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0093002C
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930011
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930FEF
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FA1
.text C:\WINDOWS\System32\svchost.exe[448] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FC6
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 0091001B
.text C:\WINDOWS\System32\svchost.exe[448] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00910036
.text C:\WINDOWS\System32\svchost.exe[448] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00920000
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[756] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[756] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1064] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1064] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\system32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE0011
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C10F7E
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C10073
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C10058
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C10047
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C10F41
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C10F5C
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C10F1F
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C100AE
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C100D3
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C10FA5
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C1001B
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C10F6D
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[1064] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C10F30
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C00F79
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C00FC3
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C00F94
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C0002C
.text C:\WINDOWS\system32\svchost.exe[1064] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C0001B
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BF0011
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BF0FE3
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BF002C
.text C:\WINDOWS\system32\svchost.exe[1064] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\services.exe[1256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1256] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FCA
.text C:\WINDOWS\system32\services.exe[1256] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00F77
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00062
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00F88
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D00047
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00FC0
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D000BD
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D000A2
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D00F3F
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D000D8
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D00F2E
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D00FA5
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D00087
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00022
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D00011
.text C:\WINDOWS\system32\services.exe[1256] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D00F5A
.text C:\WINDOWS\system32\services.exe[1256] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FB9
.text C:\WINDOWS\system32\services.exe[1256] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0007006C
.text C:\WINDOWS\system32\services.exe[1256] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070014
.text C:\WINDOWS\system32\services.exe[1256] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1256] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[1256] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[1256] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00070036
.text C:\WINDOWS\system32\services.exe[1256] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[1256] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060FA4
.text C:\WINDOWS\system32\services.exe[1256] msvcrt.dll!system 77C293C7 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[1256] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FC6
.text C:\WINDOWS\system32\services.exe[1256] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1256] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FB5
.text C:\WINDOWS\system32\services.exe[1256] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FE3
.text C:\WINDOWS\system32\services.exe[1256] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[1268] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\lsass.exe[1268] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\lsass.exe[1268] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C2000A
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F58
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20F69
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F86
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20F97
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20FB9
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20F31
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20079
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C20F20
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200B9
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C200D4
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20FA8
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20068
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20025
.text C:\WINDOWS\system32\lsass.exe[1268] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C2009E
.text C:\WINDOWS\system32\lsass.exe[1268] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C1002F
.text C:\WINDOWS\system32\lsass.exe[1268] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C1005B
.text C:\WINDOWS\system32\lsass.exe[1268] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10FDE
.text C:\WINDOWS\system32\lsass.exe[1268] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C1000A
.text C:\WINDOWS\system32\lsass.exe[1268] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10F9E
.text C:\WINDOWS\system32\lsass.exe[1268] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\lsass.exe[1268] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C10FB9
.text C:\WINDOWS\system32\lsass.exe[1268] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E1, 88] {LOOPZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\lsass.exe[1268] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10040
.text C:\WINDOWS\system32\lsass.exe[1268] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00FC3
.text C:\WINDOWS\system32\lsass.exe[1268] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\lsass.exe[1268] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C0003A
.text C:\WINDOWS\system32\lsass.exe[1268] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C0000C
.text C:\WINDOWS\system32\lsass.exe[1268] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\lsass.exe[1268] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00029
.text C:\WINDOWS\system32\lsass.exe[1268] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F40FDE
.text C:\WINDOWS\system32\svchost.exe[1416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F80082
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80071
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80F97
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80054
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F80FB2
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F800A4
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F80F5C
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F800EB
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F800DA
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F80F41
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80039
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FDE
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80093
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80028
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80FCD
.text C:\WINDOWS\system32\svchost.exe[1416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F800BF
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70FC3
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70F79
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FD4
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70F8A
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F70036
.text C:\WINDOWS\system32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70025
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60025
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F60FA4
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F6000A
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60FE3
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F60FB5
.text C:\WINDOWS\system32\svchost.exe[1416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60FD2
.text C:\WINDOWS\system32\svchost.exe[1416] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CE000A
.text C:\WINDOWS\system32\svchost.exe[1480] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20F74
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20069
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D2004E
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D2003D
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20022
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D200A1
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D20086
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D200C3
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D200B2
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D200DE
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D20FA5
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D20FD4
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D20F59
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D20011
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D20F34
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D10047
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D10062
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D10036
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D10FA5
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D10000
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F1, 88]
.text C:\WINDOWS\system32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D10FDB
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D00FCA
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D00055
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D0003A
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D00FE5
.text C:\WINDOWS\system32\svchost.exe[1480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D00029
.text C:\WINDOWS\system32\svchost.exe[1480] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0000
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 03910FEF
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [87]
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 03910FD4
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [87]
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 03910014
.text C:\WINDOWS\System32\svchost.exe[1520] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [87]
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03930000
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03930064
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03930F6F
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03930F8A
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03930047
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03930FC0
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03930F4A
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03930086
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 039300A3
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03930F14
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03930EEF
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03930FA5
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03930011
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03930075
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03930FDB
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0393002C
.text C:\WINDOWS\System32\svchost.exe[1520] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03930F25
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03920036
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03920084
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03920FDB
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03920011
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03920073
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03920000
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03920058
.text C:\WINDOWS\System32\svchost.exe[1520] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03920047
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03590FB2
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!system 77C293C7 5 Bytes JMP 0359003D
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03590018
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03590FEF
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03590FC3
.text C:\WINDOWS\System32\svchost.exe[1520] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03590FDE
.text C:\WINDOWS\System32\svchost.exe[1520] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03580000
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03570FE5
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03570FD4
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03570FB9
.text C:\WINDOWS\System32\svchost.exe[1520] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 0357000A
.text C:\WINDOWS\System32\svchost.exe[1560] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00740FEF
.text C:\WINDOWS\System32\svchost.exe[1560] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00740FB9
.text C:\WINDOWS\System32\svchost.exe[1560] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00740FD4
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780000
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007800AE
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780FB9
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780093
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780076
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780040
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F7C
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780F8D
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007800F3
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F50
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00780F3F
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0078005B
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0078001B
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780F9E
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FD4
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780FE5
.text C:\WINDOWS\System32\svchost.exe[1560] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00780F6B
.text C:\WINDOWS\System32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770047
.text C:\WINDOWS\System32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770F9E
.text C:\WINDOWS\System32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770036
.text C:\WINDOWS\System32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0077001B
.text C:\WINDOWS\System32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770FAF
.text C:\WINDOWS\System32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770000
.text C:\WINDOWS\System32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00770FCA
.text C:\WINDOWS\System32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [97, 88]
.text C:\WINDOWS\System32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770FDB
.text C:\WINDOWS\System32\svchost.exe[1560] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00760036
.text C:\WINDOWS\System32\svchost.exe[1560] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760FAB
.text C:\WINDOWS\System32\svchost.exe[1560] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760011
.text C:\WINDOWS\System32\svchost.exe[1560] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760FE3
.text C:\WINDOWS\System32\svchost.exe[1560] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760FBC
.text C:\WINDOWS\System32\svchost.exe[1560] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760000
.text C:\WINDOWS\System32\svchost.exe[1560] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750000
.text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\System32\svchost.exe[1616] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20087
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C20F88
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C2006C
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C2005B
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20FD4
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20F5C
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20F6D
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C200D0
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C200B5
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C200F5
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20FB9
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C2000A
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C20098
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20040
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20025
.text C:\WINDOWS\System32\svchost.exe[1616] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C20F37
.text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C10FC3
.text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C1005B
.text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10FD4
.text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C1000A
.text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C10F94
.text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C10036
.text C:\WINDOWS\System32\svchost.exe[1616] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10025
.text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C0001B
.text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00F9A
.text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00FB5
.text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C0000A
.text C:\WINDOWS\System32\svchost.exe[1616] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00FD2
.text C:\WINDOWS\System32\svchost.exe[1616] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\Explorer.EXE[1968] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\Explorer.EXE[1968] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0025
.text C:\WINDOWS\Explorer.EXE[1968] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC000A
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70097
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C70086
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C70FAC
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70069
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C7003D
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C700C3
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C700B2
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C700E5
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F56
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C70F27
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C7004E
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C70000
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C70F87
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C70022
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C70011
.text C:\WINDOWS\Explorer.EXE[1968] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C700D4
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C60FA8
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C60036
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C60FB9
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C60FD4
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C60025
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C60FE5
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C60014
.text C:\WINDOWS\Explorer.EXE[1968] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C60F8D
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C50053
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C50FC8
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C50038
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C5000C
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C50FD9
.text C:\WINDOWS\Explorer.EXE[1968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C5001D
.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BD0FCD
.text C:\WINDOWS\Explorer.EXE[1968] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BD0FBC
.text C:\WINDOWS\Explorer.EXE[1968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF000A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


OTL logfile created on: 5/30/2010 3:57:39 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Dan\Desktop\G to G Malware and Spyware Cleaning Guide & Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 594.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 56.98 Gb Free Space | 76.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAN
Current User Name: Dan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/29 01:02:48 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\G to G Malware and Spyware Cleaning Guide & Programs\OTL.exe
PRC - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe
PRC - [2010/04/14 12:29:58 | 000,170,144 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2010/04/01 23:05:04 | 001,180,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2008/04/23 03:08:13 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/13 11:33:20 | 000,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2004/08/19 09:40:08 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe


========== Modules (SafeList) ==========

MOD - [2010/05/29 01:02:48 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\G to G Malware and Spyware Cleaning Guide & Programs\OTL.exe
MOD - [2008/04/14 06:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/27 17:16:24 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/04/27 17:16:24 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/04/14 12:29:58 | 000,170,144 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/10 11:16:56 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/12/14 21:08:40 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)


========== Driver Services (SafeList) ==========

DRV - [2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/02/11 05:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/05/06 21:03:45 | 000,054,624 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\1362.sys -- (1362)
DRV - [2009/04/18 07:30:38 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/04/18 07:30:38 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/06/22 11:06:48 | 000,043,408 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fsRamDsk.sys -- (fsRamDsk)
DRV - [2005/04/19 16:51:16 | 000,460,992 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ntpr11ag.sys -- (NTPR_NIC_SERVICE2)
DRV - [2005/03/21 11:00:24 | 000,004,096 | ---- | M] (SuperAdBlocker.com) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\sabprocenum.sys -- (SABProcEnum)
DRV - [2004/11/16 10:03:52 | 000,108,791 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/04/19 16:01:00 | 000,006,656 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gflmouhid.sys -- (genmcmnUSB)
DRV - [2003/05/30 19:45:16 | 000,477,403 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vpctcom.sys -- (Vpctcom)
DRV - [2003/05/30 18:50:46 | 000,690,973 | ---- | M] (PCTEL, INC.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vmodem.sys -- (Vmodem)
DRV - [2003/05/28 13:08:12 | 000,066,111 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vvoice.sys -- (Vvoice)
DRV - [2003/02/24 16:30:02 | 000,135,292 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ptserial.sys -- (Ptserial)
DRV - [2003/01/23 17:37:50 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2003/01/20 23:44:36 | 000,569,984 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2002/04/05 16:00:54 | 000,073,827 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90Xbc5.SYS -- (EL90XBC)
DRV - [2001/08/17 05:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 40 9B 84 7E BB 3D CA 01 [binary data]
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "megaup"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "megaup"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://att.my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 49
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1
FF - prefs.js..keyword.URL: "http://search.yahoo....8&fr=megaup&p="

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/05/26 08:16:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/18 16:43:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/19 14:41:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/19 15:14:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2008/11/24 12:56:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Mozilla\Extensions
[2010/05/29 22:01:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions
[2010/04/27 02:32:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/16 11:34:42 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/05/02 02:34:53 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/11/15 22:50:16 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/03/23 21:44:20 | 000,002,131 | ---- | M] () -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\searchplugins\bmrk-file-host-search.xml
[2009/01/14 09:37:17 | 000,002,305 | ---- | M] () -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\searchplugins\downloadhelper-adult-videos.xml
[2010/05/29 22:01:23 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/16 11:44:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/27 17:16:24 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/01/01 12:56:32 | 000,370,499 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 12797 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20100518164357.dll (McAfee, Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PCTVOICE] C:\WINDOWS\System32\pctspk.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\Dan\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: akamai.net ([a248.e] https in Trusted sites)
O15 - HKCU\..Trusted Domains: bitdefender.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: netflame.cc ([ssl-hints] https in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1227541551745 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1227541633462 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/24 03:53:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{00fca560-3113-11de-9f38-000874e4035e}\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run
O33 - MountPoints2\{8395f2f5-4aa9-11de-9f55-0020a6524190}\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run
O33 - MountPoints2\F\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run
O33 - MountPoints2\G\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sasnative32) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/11/15 16:34:22 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.ffds - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.I420 - C:\WINDOWS\System32\i420vfw.dll (www.helixcommunity.org)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.tscc - C:\PROGRA~1\MpcStar\Codecs\tscc\tsccvid.dll File not found
Drivers32: vidc.yv12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/30 01:25:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Application Data\Malwarebytes
[2010/05/30 01:25:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/30 01:25:17 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/30 01:25:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/30 01:25:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/30 01:17:45 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/29 02:09:03 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dan\Recent
[2010/05/22 03:49:34 | 000,000,000 | ---D | C] -- C:\Program Files\MediaInfo
[2010/05/17 21:53:10 | 000,942,960 | ---- | C] (McAfee Inc.) -- C:\Documents and Settings\Dan\Local Settings\Application Data\MvtApp.exe
[2010/05/13 02:34:24 | 000,000,000 | ---D | C] -- C:\Program Files\Avidemux 2.5
[2010/05/13 02:20:32 | 000,719,872 | ---- | C] (Abysmal Software) -- C:\WINDOWS\System32\devil.dll
[2010/05/13 02:20:30 | 000,369,152 | ---- | C] (The Public) -- C:\WINDOWS\System32\avisynth.dll
[2010/05/13 02:20:26 | 000,070,656 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\yv12vfw.dll
[2010/05/13 02:20:26 | 000,070,656 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\i420vfw.dll
[2010/05/13 02:20:23 | 000,000,000 | ---D | C] -- C:\Program Files\AviSynth 2.5
[2010/05/13 02:19:22 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/05/13 02:19:22 | 000,216,064 | RHS- | C] (MONOGRAM Multimedia, s.r.o.) -- C:\WINDOWS\System32\nbDX.dll
[2010/05/13 02:19:22 | 000,186,880 | RHS- | C] (RadLight) -- C:\WINDOWS\System32\RLOgg.ax
[2010/05/13 02:19:22 | 000,179,200 | RHS- | C] (Gabest) -- C:\WINDOWS\System32\DiracSplitter.ax
[2010/05/13 02:19:22 | 000,169,472 | RHS- | C] (Gabest) -- C:\WINDOWS\System32\MatroskaDX.ax
[2010/05/13 02:19:22 | 000,163,328 | RHS- | C] (Gabest) -- C:\WINDOWS\System32\flvDX.dll
[2010/05/13 02:19:22 | 000,161,792 | RHS- | C] (Gabest) -- C:\WINDOWS\System32\RealMediaDX.ax
[2010/05/13 02:19:22 | 000,092,672 | RHS- | C] (RadLight) -- C:\WINDOWS\System32\RLVorbisDec.ax
[2010/05/13 02:19:22 | 000,090,112 | RHS- | C] (-) -- C:\WINDOWS\System32\TTADSSplitter.ax
[2010/05/13 02:19:22 | 000,090,112 | RHS- | C] (-) -- C:\WINDOWS\System32\TTADSDecoder.ax
[2010/05/13 02:19:22 | 000,067,584 | RHS- | C] (RadLight, LLC) -- C:\WINDOWS\System32\RLTheoraDec.ax
[2010/05/13 02:19:22 | 000,031,232 | RHS- | C] (Hans Mayerl) -- C:\WINDOWS\System32\msfDX.dll
[2010/05/13 02:19:21 | 000,123,904 | RHS- | C] (CoreCodec) -- C:\WINDOWS\System32\AVCDX.ax
[2010/05/13 02:19:11 | 000,000,000 | ---D | C] -- C:\Program Files\eRightSoft
[2010/05/13 01:10:28 | 000,000,000 | ---D | C] -- C:\Program Files\Easy Video Joiner
[2010/05/12 15:32:21 | 000,000,000 | ---D | C] -- C:\Program Files\Smart Projects
[2010/05/07 13:09:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\2wire Gateway
[2010/04/29 14:00:50 | 000,000,000 | ---D | C] -- C:\Program Files\AirPort
[2010/04/27 03:00:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Application Data\McAfee
[2010/04/27 02:46:32 | 000,009,344 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/04/27 02:46:17 | 000,312,616 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/04/27 02:46:17 | 000,088,480 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/04/27 02:46:17 | 000,083,496 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/04/27 02:46:17 | 000,082,952 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/04/27 02:46:16 | 000,152,320 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/04/27 02:46:16 | 000,055,456 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/04/27 02:46:16 | 000,051,688 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/04/27 02:46:04 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Mcafee
[2010/04/27 02:46:02 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2010/04/27 02:45:25 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/04/27 02:34:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/04/27 02:27:35 | 000,000,000 | ---D | C] -- C:\mfe
[2010/04/26 00:59:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/19 14:49:20 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/19 14:48:04 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/19 14:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/19 14:31:11 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/18 23:18:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\G to G Malware and Spyware Cleaning Guide & Programs
[2010/04/18 12:21:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Kaspersky
[2010/04/18 04:20:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Adobe Photoshop CS2 Updates
[2010/04/17 02:59:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Adobe Acrobat 7.0 Professional Updates
[2010/04/16 11:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/16 11:44:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/01 01:41:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Pics
[2010/03/29 23:52:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Trackball World
[2010/03/29 23:51:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Hitachi DeskStar Harddrive
[2010/03/15 22:30:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Waste King
[2010/03/14 03:22:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\dwhelper
[2010/03/10 07:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Application Data\vlc
[2004/11/24 12:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll

========== Files - Modified Within 90 Days ==========

[2010/05/30 01:45:09 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk
[2010/05/30 01:45:05 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/30 01:44:39 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/05/30 01:44:33 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/30 01:44:29 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/30 01:43:13 | 009,437,184 | -H-- | M] () -- C:\Documents and Settings\Dan\NTUSER.DAT
[2010/05/30 01:43:13 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Dan\ntuser.ini
[2010/05/30 01:25:22 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/30 01:17:46 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\NTREGOPT.lnk
[2010/05/30 01:17:46 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\ERUNT.lnk
[2010/05/30 00:59:25 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\Geeks to Go Log.doc
[2010/05/29 02:10:50 | 000,000,845 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\TFC.exe.lnk
[2010/05/29 01:45:22 | 000,000,873 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\McAfee Virtual Technician.lnk
[2010/05/28 21:44:07 | 000,000,170 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\G to G Malware Removal Forum.URL
[2010/05/26 08:58:03 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\CCleaner.lnk
[2010/05/22 03:49:35 | 000,000,561 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\MediaInfo.lnk
[2010/05/17 21:53:10 | 000,942,960 | ---- | M] (McAfee Inc.) -- C:\Documents and Settings\Dan\Local Settings\Application Data\MvtApp.exe
[2010/05/13 02:35:03 | 000,000,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avidemux 2.5.lnk
[2010/05/13 02:19:25 | 000,001,665 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPER ©.lnk
[2010/05/13 01:10:29 | 000,000,663 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\Easy Video Joiner.lnk
[2010/05/12 23:35:16 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Dan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/12 15:32:24 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\IsoBuster.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/27 17:16:24 | 000,385,880 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2010/04/27 17:16:24 | 000,312,616 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
[2010/04/27 17:16:24 | 000,152,320 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2010/04/27 17:16:24 | 000,095,568 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
[2010/04/27 17:16:24 | 000,088,480 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
[2010/04/27 17:16:24 | 000,083,496 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
[2010/04/27 17:16:24 | 000,082,952 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
[2010/04/27 17:16:24 | 000,055,456 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
[2010/04/27 17:16:24 | 000,051,688 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2010/04/27 17:16:24 | 000,009,344 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
[2010/04/27 02:34:12 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2010/04/27 02:34:12 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\WindowsShell.Manifest
[2010/04/27 02:34:12 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2010/04/27 02:34:12 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2010/04/27 02:34:12 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2010/04/27 02:34:12 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2010/04/27 02:34:07 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/04/27 02:34:07 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/04/26 03:40:48 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/15 11:03:40 | 000,000,080 | -HS- | M] () -- C:\WINDOWS\setup_9.0.0.722_15.04.2010_17-11drv.spi
[2010/04/06 16:48:20 | 000,000,827 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\USEC Radix.lnk
[2010/04/06 09:06:26 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Dan\My Documents\Dad's Meds small 100316.doc
[2010/04/04 14:36:36 | 000,002,862 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2010/04/03 16:40:02 | 000,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/04/03 16:40:02 | 000,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/04/03 16:39:58 | 000,523,570 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/10 06:56:48 | 000,000,619 | ---- | M] () -- C:\WINDOWS\win.ini

========== Files Created - No Company Name ==========

[2010/05/30 02:01:00 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\gmer.exe
[2010/05/30 01:25:22 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/30 01:17:46 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\NTREGOPT.lnk
[2010/05/30 01:17:46 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\ERUNT.lnk
[2010/05/29 02:10:50 | 000,000,845 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\TFC.exe.lnk
[2010/05/29 01:48:09 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee AntiVirus Plus.lnk
[2010/05/29 01:45:22 | 000,000,873 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\McAfee Virtual Technician.lnk
[2010/05/28 21:37:22 | 000,000,170 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\G to G Malware Removal Forum.URL
[2010/05/23 00:43:27 | 000,000,879 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\WordPad.lnk
[2010/05/22 03:55:02 | 000,000,561 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\MediaInfo.lnk
[2010/05/13 02:35:03 | 000,000,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avidemux 2.5.lnk
[2010/05/13 02:20:27 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2010/05/13 02:19:25 | 000,001,665 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPER ©.lnk
[2010/05/13 02:19:22 | 000,120,832 | RHS- | C] () -- C:\WINDOWS\System32\MPCDx.ax
[2010/05/13 02:19:22 | 000,097,280 | RHS- | C] () -- C:\WINDOWS\System32\FLACDX.ax
[2010/05/13 02:19:22 | 000,051,712 | RHS- | C] () -- C:\WINDOWS\System32\RLSpeexDec.ax
[2010/05/13 02:19:21 | 000,227,328 | RHS- | C] () -- C:\WINDOWS\System32\ac3DX.ax
[2010/05/13 02:19:21 | 000,081,920 | RHS- | C] () -- C:\WINDOWS\System32\aac_parser.ax
[2010/05/13 01:10:29 | 000,000,663 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\Easy Video Joiner.lnk
[2010/05/12 15:32:24 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\IsoBuster.lnk
[2010/04/19 12:59:20 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\Geeks to Go Log.doc
[2010/04/15 11:03:40 | 000,000,080 | -HS- | C] () -- C:\WINDOWS\setup_9.0.0.722_15.04.2010_17-11drv.spi
[2010/04/04 10:19:30 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\CCleaner.lnk
[2010/03/25 11:39:26 | 000,000,827 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\USEC Radix.lnk
[2009/12/15 18:45:52 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\pamondrv.sys
[2009/12/15 17:45:16 | 000,043,408 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsRamDsk.sys
[2009/12/15 17:45:16 | 000,000,276 | ---- | C] () -- C:\WINDOWS\RamDriveSetup.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/05/06 21:03:45 | 000,054,624 | ---- | C] () -- C:\WINDOWS\System32\1362.sys
[2009/04/22 01:27:07 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\pamondrv.sys.REN
[2009/04/22 01:26:37 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\setupnt.dll
[2009/02/19 16:10:05 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2009/01/05 11:17:38 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2008/12/19 08:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/17 10:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/17 10:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/17 10:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/17 10:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/17 09:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/12/11 04:27:02 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/12/04 05:12:13 | 000,002,862 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/11/24 21:28:50 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS78.DLL
[2008/11/24 21:13:38 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
[2008/11/24 21:13:38 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
[2008/11/24 21:10:42 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2008/11/24 21:10:42 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2008/11/24 21:02:51 | 000,000,196 | ---- | C] () -- C:\WINDOWS\EPSON 1260_1660 Installer.ini
[2008/11/24 20:23:50 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\mdmmoh.dll
[2008/11/24 05:52:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/10/03 10:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll
[2004/04/19 16:01:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\gflmouhid.sys
[2003/01/07 00:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2008/11/24 21:28:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/04/18 07:30:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2009/03/29 17:53:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/04/19 14:51:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/25 15:12:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/20 12:13:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/01/05 11:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\EPSON
[2009/07/09 14:22:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\OfficeUpdate12
[2008/12/10 05:32:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Template
[2008/11/26 03:10:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Thunderbird
[2010/05/28 22:13:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\uTorrent

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/11/24 03:53:07 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/11/15 17:24:21 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/11/24 03:53:07 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/12/15 17:45:30 | 000,000,201 | ---- | M] () -- C:\inVHDDrvLog.dat
[2008/11/24 03:53:07 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/04/03 22:23:03 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2008/11/24 03:53:07 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/11/15 17:15:01 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/11/15 18:01:02 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/05/30 01:44:24 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 05:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 05:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/11/15 08:12:29 | 004,194,304 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/11/15 07:57:07 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2009/11/15 08:12:29 | 032,243,712 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/11/15 08:12:29 | 007,077,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
< End of report >


OTL Extras logfile created on: 5/30/2010 3:57:39 AM - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Documents and Settings\Dan\Desktop\G to G Malware and Spyware Cleaning Guide & Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 594.00 Mb Available Physical Memory | 58.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 85.00% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 56.98 Gb Free Space | 76.46% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAN
Current User Name: Dan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"5353:UDP" = 5353:UDP:*:Enabled:Bonjour

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\FlashGet\FlashGet.exe" = C:\Program Files\FlashGet\FlashGet.exe:*:Enabled:Flashget -- File not found
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- File not found
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{059AE187-404C-47C5-B846-097DAF59DC44}" = Adobe Stock Photos 1.0
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{166E180E-9A3F-41AE-8B40-22D8FFF4AF87}" = McAfee Virtual Technician
"{172423F9-522A-483A-AD65-03600CE4CA4F}" = Microsoft Works 6-9 Converter
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{236BB7C4-4419-42FD-0409-1E257A25E34D}" = Adobe Photoshop CS2
"{26A24AE4-039D-4CA4-87B4-2F83216012FF}" = Java™ 6 Update 20
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.1
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{48A8ADFF-D6E4-409D-B2BA-5CABB7FE5A84}" = AirPort
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6C11D561-620B-47DA-A693-4C597F3CDF40}" = EPSON Smart Panel
"{6C5D7191-140A-11D6-B5A0-0050DA208A93}" = ArcSoft PhotoImpression
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{76BC2442-0002-47FA-9617-43BAD82BEF4C}" = Bonjour
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8EDBA74D-0686-4C99-BFDD-F894678E5B39}" = Adobe Common File Installer
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{98613C99-1399-416C-A07C-1EE1C585D872}" = SeaTools for Windows
"{996A2FAA-7514-4628-9D12-A8FC34A0016E}" = iTunes
"{9A3EABC0-CA06-11D4-BF77-00104B130C19}" = EPSON TWAIN 5
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.2
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B5C3B892-0849-476C-9F46-B12F84819D57}" = Apple Mobile Device Support
"{B69CC1A5-0404-11D6-ABCB-005004C21D30}" = EPSON Copy Utility
"{B74D4E10-6884-0000-0000-000000000103}" = Adobe Bridge 1.0
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E9787678-1033-0000-8E67-000000000001}" = Adobe Help Center 1.0
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F5A83924-6A0A-40A2-9A9C-00D876B62E7F}" = FreeAgent Pro Tools
"{FF4D7901-4AC6-4BC4-925B-8C5400BD67AF}" = ORiNOCO 802.11 Wireless Client
"7-Zip" = 7-Zip 4.65
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.4 Professional
"Adobe Acrobat 7.0 Professional_714" = Adobe Acrobat 7.1.4 - CPSID_50030
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"ATI Display Driver" = ATI Display Driver
"Avidemux 2.5" = Avidemux 2.5
"Canon Setup Utility 2.0" = Canon Setup Utility 2.0
"CANONBJ_Deinstall_CNMCP78.DLL" = Canon iP4200
"CCleaner" = CCleaner
"Easy Video Joiner_is1" = Easy Video Joiner 5.21
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"EPSON Photo Print" = EPSON Photo Print
"ERUNT_is1" = ERUNT 1.1j
"FileASSASSIN" = FileASSASSIN
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"Installing HSP56 MicroModem Drivers" = PCTEL 2304WT V.9x MDC Modem Drivers
"InstallShield_{48A8ADFF-D6E4-409D-B2BA-5CABB7FE5A84}" = AirPort
"InstallShield_{F5A83924-6A0A-40A2-9A9C-00D876B62E7F}" = FreeAgent Pro Tools
"IsoBuster_is1" = IsoBuster 2.8 Beta
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MediaInfo" = MediaInfo 0.7.33
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"MSC" = McAfee AntiVirus Plus
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Silent Package Run-Time Sample" = EPSON Scanner Reference Guide
"SUPER ©" = SUPER © Version 2010.bld.38 (May 2, 2010)
"uTorrent" = µTorrent
"VLC media player" = VLC media player 1.0.5
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XP Codec Pack" = XP Codec Pack

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/20/2010 9:59:24 PM | Computer Name = DAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 5/20/2010 9:59:25 PM | Computer Name = DAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 5/20/2010 9:59:27 PM | Computer Name = DAN | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download....uthrootseq.txt>
with error: The specified server cannot perform the requested operation.

Error - 5/21/2010 4:24:57 AM | Computer Name = DAN | Source = Application Error | ID = 1000
Description = Faulting application joiner.exe, version 0.0.0.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x00011119.

Error - 5/21/2010 5:14:31 AM | Computer Name = DAN | Source = Application Error | ID = 1000
Description = Faulting application joiner.exe, version 0.0.0.0, faulting module
wmasf.dll, version 11.0.5721.5238, fault address 0x00016d29.

Error - 5/21/2010 5:25:34 AM | Computer Name = DAN | Source = Application Error | ID = 1000
Description = Faulting application joiner.exe, version 0.0.0.0, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x000101b3.

Error - 5/28/2010 4:18:06 PM | Computer Name = DAN | Source = Bonjour Service | ID = 100
Description = WSARecvMsg failed (10022)

Error - 5/29/2010 1:11:27 AM | Computer Name = DAN | Source = Application Hang | ID = 1002
Description = Hanging application WINWORD.EXE, version 11.0.8313.0, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 5/29/2010 4:37:39 AM | Computer Name = DAN | Source = Bonjour Service | ID = 100
Description = WSARecvMsg failed (10022)

Error - 5/29/2010 4:46:11 AM | Computer Name = DAN | Source = MsiInstaller | ID = 11722
Description = Product: McAfee Virtual Technician -- Error 1722. There is a problem
with this Windows Installer package. A program run as part of the setup did not
finish as expected. Contact your support personnel or package vendor. Action Action1,
location: C:\Documents and Settings\Dan\Local Settings\Application Data\MvtApp.exe,
command: /install

[ System Events ]
Error - 5/30/2010 4:10:46 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/30/2010 4:10:46 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/30/2010 4:10:46 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 5/30/2010 4:10:49 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 5/30/2010 4:10:49 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7034
Description = The McAfee SiteAdvisor Service service terminated unexpectedly. It
has done this 1 time(s).

Error - 5/30/2010 4:10:49 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7031
Description = The McAfee Personal Firewall service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 5/30/2010 4:10:49 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7031
Description = The McAfee Services service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 5/30/2010 4:10:49 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7031
Description = The McAfee VirusScan Announcer service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 60000
milliseconds: Restart the service.

Error - 5/30/2010 4:10:49 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7031
Description = The McAfee Network Agent service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 5/30/2010 4:10:49 AM | Computer Name = DAN | Source = Service Control Manager | ID = 7031
Description = The McAfee Proxy Service service terminated unexpectedly. It has
done this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.


< End of report >
  • 0

Advertisements

#2
Elliot
Posted 30 May 2010 - 07:49 AM

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hello, whynot53!

Welcome to Geeks to Go! My name is Elster and I will be helping you fix your computer.

Please note that I am still in training, so there may be some delay between my responses. This is so that a resident expert may check my reply before I post back to you.

Also, please keep in mind that very rarely will a computer be "dis-infected" on the first sweep. The absence of symptoms does not mean that your computer is clean, so please stick with me until I give you the All Clear!

I recommend that you save and print each of my posts, as there will be times when you will not be able to be online to access them.

I am currently reviewing your logs, and will reply to you shortly.

Thanks!

Elster
  • 0

#3
Elliot
Posted 30 May 2010 - 09:34 AM

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hello whynot53!


Step 1:

virSCAN
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    C:\WINDOWS\system32\1362.sys

  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

Step 2:

OTL
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O33 - MountPoints2\{00fca560-3113-11de-9f38-000874e4035e}\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run
O33 - MountPoints2\{8395f2f5-4aa9-11de-9f55-0020a6524190}\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run
O33 - MountPoints2\F\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run
O33 - MountPoints2\G\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Then post a new OTL log

Step 3:

OTS

To ensure that I get all the information, this log will need to be attached (instructions at the end). If it is too large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following:


    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    /md5stop
    %systemroot%\*. /mp /s
    c:\$recycle.bin\*.* /s
    CREATERESTOREPOINT

  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.


Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Step 4:

Reply

Things I need to see in your reply:
  • Results of virSCAN
  • OTL log
  • Attached OTS log
Thanks!

Elster
  • 0

#4
whynot53
Posted 30 May 2010 - 12:50 PM

whynot53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi Elster,

Thank you for helping me with my problem. I will be sure and stick with you until the end.

I will do as you ask and get back to you.

whynot53
  • 0

#5
Elliot
Posted 30 May 2010 - 04:43 PM

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
:)
  • 0

#6
whynot53
Posted 30 May 2010 - 05:25 PM

whynot53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi Elster,

I finished the scans and here are the logs. Oh, by the way, the link to "VirSCAN.org" didn't work.
I received this error message-

"404 Not Found
The resource requested could not be found on this server!"

I googled "VirSCAN.org" and found it anyway.


VirSCAN.org Scanned Report :
Scanned time : 2009/06/05 12:31:50 (CST)
Scanner results: 79% Scanner(s) (30/38) found malware!
File Name : 1.html
File Size : 4037 byte
File Type : Sendmail frozen configuration - version body bgcolor=
MD5 : 4a2514195555a43458b4e087d29124be
SHA1 : e96f20c01c95b12a6cf9992b1e16deaac5ca025c
Online report : http://virscan.org/r...5aa9dfd4d2.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090604013225 2009-06-04 2.05 Virus.Win32.Killmbr.D!IK
AhnLab V3 2009.06.05.00 2009.06.05 2009-06-05 0.74 Win-Trojan/Dialer.712704.B
AntiVir 8.2.0.180 7.1.4.59 2009-06-04 0.55 KIT/GhostDial.1
Antiy 2.0.18 20090604.2498051 2009-06-04 0.15 Trojan/Win32.Dialer.gvg
Arcavir 2009 200906041608 2009-06-04 0.39 Dialer.Bib
Authentium 5.1.1 200906041652 2009-06-04 1.18 W32/Trojan2.DOJN (Exact)
AVAST! 4.7.4 090604-0 2009-06-04 0.05 Win32:Dialer-1314 [Trj]
AVG 8.5.286 270.12.53/2155 2009-06-05 0.37 Dialer.KNV
BitDefender 7.81008.3335505 7.25811 2009-06-05 0.75 Trojan.Generic.1004008
CA (VET) 9.0.0.143 31.6.6539 2009-06-05 9.17 -
ClamAV 0.95.1 9421 2009-06-05 0.18 Dialer-3765
Comodo 3.9 1259 2009-06-04 0.74 ApplicUnwnt.Win32.PornTool.Agent.fi
CP Secure 1.1.0.715 2009.06.03 2009-06-03 9.97 -
Dr.Web 4.44.0.9170 2009.06.05 2009-06-05 4.85 BackDoor.Pigeon.12989
F-Prot 4.4.4.56 20090604 2009-06-04 1.15 W32/Trojan2.DOJN (exact)
F-Secure 5.51.6100 2009.06.05.03 2009-06-05 5.79 -
Fortinet 2.81-3.117 10.466 2009-06-04 0.35 Suspicious
GData 19.5615/19.353 20090605 2009-06-05 4.39 Win32:Dialer-1313 [Trj] [Engine:B]
ViRobot 20090604 2009.06.04 2009-06-04 0.42 -
Ikarus T3.1.01.57 2009.06.03.72814 2009-06-03 3.11 Virus.Win32.Killmbr.D
JiangMin 11.0.706 2009.06.03 2009-06-03 2.07 Trojan/Dialer.gnc
Kaspersky 5.5.10 2009.06.05 2009-06-05 0.08 not-a-virus:Porn-Dialer.Win32.Agent.fi
KingSoft 2009.2.5.15 2009.6.4.21 2009-06-04 0.51 Win32.Hack.ReSSDT.c.716800
McAfee 5.3.00 5636 2009-06-04 2.97 BackDoor-DSQ
Microsoft 1.4701 2009.06.04 2009-06-04 4.29 Backdoor:Win32/Farfli.J
mks_vir 2.01 2009.06.05 2009-06-05 3.35 -
Norman 6.01.05 6.01.00 2009-06-02 4.01 W32/Dialer.DHRP
Panda 9.05.01 2009.06.04 2009-06-04 1.86 -
Trend Micro 8.700-1004 6.170.08 2009-06-04 0.06 TROJ_DIAL.RHB
Quick Heal 10.00 2009.06.05 2009-06-05 1.37 -
Rising 20.0 21.32.34.00 2009-06-04 0.99 Backdoor.Win32.Drwolf.axh
Sophos 2.87.1 4.42 2009-06-05 2.44 Mal/Whybo-A
Sunbelt 5170 5170 2009-06-04 0.94 Porn-Dialer.Win32.Agent.fi
Symantec 1.3.0.24 20090604.002 2009-06-04 0.06 -
nProtect 20090604.01 4070376 2009-06-04 5.23 Trojan/W32.Dialer.712704
The Hacker 6.3.4.3 v00340 2009-06-04 0.63 Trojan/Dialer.Agent.fi
VBA32 3.12.10.6 20090604.1412 2009-06-04 1.96 Porn-Dialer.Win32.Agent.fi
VirusBuster 4.5.11.10 10.107.2/1575686 2009-06-04 1.90 Dialer.Agent.IFEU



All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{00fca560-3113-11de-9f38-000874e4035e}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00fca560-3113-11de-9f38-000874e4035e}\ not found.
File "Install FreeAgent Tools.exe" /run not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8395f2f5-4aa9-11de-9f55-0020a6524190}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8395f2f5-4aa9-11de-9f55-0020a6524190}\ not found.
File "Install FreeAgent Tools.exe" /run not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
File "Install FreeAgent Tools.exe" /run not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G\ deleted successfully.
File "Install FreeAgent Tools.exe" /run not found.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Dan
->Temp folder emptied: 5174 bytes
->Temporary Internet Files folder emptied: 230513 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 40684146 bytes
->Flash cache emptied: 725 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16867 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 39.00 mb


OTL by OldTimer - Version 3.2.5.0 log created on 05302010_150210

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...


Attached File  OTS.Txt   121.74KB   196 downloads
  • 0

#7
Elliot
Posted 01 June 2010 - 07:32 PM

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hiya whynot53!

Step 1:

OTS

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Driver Services - Safe List]
YY -> (1362) 1362 [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\1362.sys
[Files - No Company Name]
NY -> 1362.sys -> C:\WINDOWS\System32\1362.sys
[Empty Temp Folders]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.


Step 2:

Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Step 3:

Reply

Things I need to see in your reply:
  • OTS log
  • Kaspersky log
  • How is your computer running, now?
Thanks!

Elster
  • 0

#8
whynot53
Posted 02 June 2010 - 03:10 AM

whynot53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hey Elster,

I have those logs for you.

I had a little trouble with the Kaspersky WebScanner. When I clicked on Accept I received two error messages. I took a screen shot of them and uploaded it to Mediafire @ http://www.mediafire...degmm/Kaspersky Lab error.rtf. I clicked OK and Run and continued with the scan.

I also had a little trouble following the directions. They did not match the Web Page very well. Perhaps Kaspersky has updated or changed their scanner.

Anyway, I managed to muddle through it and I think it came out OK.

My computer seems to be running better. I think we have made good progress.


All Processes Killed
[Driver Services - Safe List]
Service 1362 stopped successfully!
Service 1362 deleted successfully!
C:\WINDOWS\system32\1362.sys moved successfully.
[Files - No Company Name]
File C:\WINDOWS\System32\1362.sys not found!
[Empty Temp Folders]


User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Dan
->Temp folder emptied: 946 bytes
->Temporary Internet Files folder emptied: 203531 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 44091858 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 483 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 42.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.31.1 fix logfile created on 06012010_190433

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, June 2, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, June 01, 2010 22:16:05
Records in database: 4195751
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
E:\

Scan statistics:
Objects scanned: 54346
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 02:52:19

No threats found. Scanned area is clean.

Selected area has been scanned.
  • 0

#9
Elliot
Posted 03 June 2010 - 06:22 PM

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hiya whynot53!

It appears that we have gotten rid of the malware, so congratulations!! Your computer is clean again! :)

Just a few more steps here and you'll be out surfing that net in no time!

SPRING CLEAN

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download Flush Flash from Here and follow the easy to use instructions on the same page

NEXT

Download and run Puran Disc Defragmenter


It is very important that you keep your computer updated with the latest patches and security fixes. Be sure and update the following on a regular basis:

For Windows updates, go here

For Java updates,
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 20.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Make Internet Explorer more secure:
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

Download some preventative software such as:

Anti Spyware
  • SpywareBlaster to help prevent spyware from installing in the first place. A tutorial can be found here.
  • SpywareGuard to catch and block spyware before it can execute. A tutorial can be found here.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. A tutorial can be found here.

Personal Firewalls -- UTILIZE ONLY ONE FIREWALL
Anti Virus Programs -- NEVER USE MORE THAN ONE ANTI-VIRUS PROGRAM AT A TIME
Preventive maintenance:

ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

TFC - Cleans temporary files from user accounts. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

MVPS Hosts file - replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

Good luck, and great surfing!!

Elster :)
  • 0

#10
whynot53
Posted 04 June 2010 - 12:04 AM

whynot53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Yeeeaah!! :) :)

Thank you so much. You did a fabulous job.


I have a few questions, if you don't mind.

Was C:\WINDOWS\system32\1362.sys the main virus?

Did you find any other malware?

Did you find any rootkits?


I see that you have been promoted. Congratulations!

whynot53
  • 0

Advertisements

#11
Elliot
Posted 04 June 2010 - 06:17 AM

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
It appears that you had already done much of the hard work, so good job! 1362.sys was pretty much all that I saw, but quite frequently, it only takes one to cause a bunch of issues. No rootkits. Hopefully, you won't be having these issues from now on. If you do, please don't hesitate to let myself, or any of the great people here, know.

And, yes. I have been promoted. Thanks for noticing, and thanks for the kind words.

Good luck!

Elster
  • 0

#12
Elliot
Posted 10 June 2010 - 01:35 PM

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#13
Elliot
Posted 18 June 2010 - 05:50 AM

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hello again, whynot53!

What are you experiencing now? Go ahead and post another OTL log, as well, please.

Thanks!

Elster
  • 0

#14
whynot53
Posted 18 June 2010 - 04:56 PM

whynot53

    Member

  • Topic Starter
  • Member
  • PipPip
  • 41 posts
Hi Elster,

Thank you for responding so quickly.

I have nothing new to report. My computer seemed fine for awhile and then the same symptoms started appearing again. It would do those screwy little things like the mouse right click menu would suddenly appear, Firefox would open to my homepage and in the Audio Master Volume Control, when I would try to move the slider to increase the volume, it would just keep drifting back to zero. Last night the flashing popup reappeared.

I checked for, “C:\WINDOWS\system32\1362.sys” and it has not reappeared.

I downloaded OTL again so I would to be sure and have the latest version and McAfee kept blocking the download and detecting, “Artemis!CAFF40AC84A0”. From all that I can tell this is an issue with McAfee so I turned off, “Real-Time Scanning” and it downloaded just fine.

I continued to have problems running OTL because of McAfee so I uninstalled McAfee. This is McAfee’s 3rd strike for me so I’ve decided to use something else. I installed Microsoft Security Essentials and COMODO Firewall because of recommendations by Geeks to Go. So far OTL has worked fine except I didn't get an "Extras Log".


whynot53


OTL logfile created on: 6/18/2010 3:05:10 PM - Run 4
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\Dan\Desktop\G to G Malware and Spyware Cleaning Guide & Programs
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 603.00 Mb Available Physical Memory | 59.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): c:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.53 Gb Total Space | 55.58 Gb Free Space | 74.58% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DAN
Current User Name: Dan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/18 15:04:04 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\G to G Malware and Spyware Cleaning Guide & Programs\OTL.exe
PRC - [2010/06/01 19:00:52 | 001,778,480 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
PRC - [2010/06/01 19:00:40 | 002,039,240 | ---- | M] (COMODO) -- C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/02/21 05:03:12 | 001,093,208 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Security Essentials\msseces.exe
PRC - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
PRC - [2009/12/09 18:02:36 | 000,202,776 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Essentials\MpCmdRun.exe
PRC - [2008/04/23 03:08:13 | 000,483,328 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
PRC - [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2004/09/13 11:33:20 | 000,155,648 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\Apoint.exe
PRC - [2004/08/19 09:40:08 | 000,045,056 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\Apoint\ApntEx.exe


========== Modules (SafeList) ==========

MOD - [2010/06/18 15:04:04 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dan\Desktop\G to G Malware and Spyware Cleaning Guide & Programs\OTL.exe
MOD - [2010/06/01 19:00:52 | 000,278,288 | ---- | M] (COMODO) -- C:\WINDOWS\system32\guard32.dll
MOD - [2008/04/14 06:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/06/01 19:00:52 | 001,778,480 | ---- | M] (COMODO) [Auto | Running] -- C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe -- (cmdAgent)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/12/09 18:02:38 | 000,017,904 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Essentials\MsMpEng.exe -- (MsMpSvc)


========== Driver Services (SafeList) ==========

DRV - [2010/06/04 11:55:58 | 000,229,312 | ---- | M] (COMODO) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\cmdGuard.sys -- (cmdGuard)
DRV - [2010/06/01 19:00:24 | 000,087,824 | ---- | M] (COMODO) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\inspect.sys -- (Inspect)
DRV - [2010/06/01 19:00:22 | 000,025,240 | ---- | M] (COMODO) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cmdhlp.sys -- (cmdHlp)
DRV - [2010/05/10 11:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 11:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/11 05:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tcpip6.sys -- (Tcpip6)
DRV - [2009/12/02 15:23:40 | 000,149,040 | ---- | M] (Microsoft Corporation) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MpFilter.sys -- (MpFilter)
DRV - [2009/04/18 07:30:38 | 000,441,760 | ---- | M] (Acronis) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\timntr.sys -- (timounter)
DRV - [2009/04/18 07:30:38 | 000,044,384 | ---- | M] (Acronis) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tifsfilt.sys -- (tifsfilter)
DRV - [2008/04/14 01:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/06/22 11:06:48 | 000,043,408 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\fsRamDsk.sys -- (fsRamDsk)
DRV - [2005/04/19 16:51:16 | 000,460,992 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ntpr11ag.sys -- (NTPR_NIC_SERVICE2)
DRV - [2005/03/21 11:00:24 | 000,004,096 | ---- | M] (SuperAdBlocker.com) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\sabprocenum.sys -- (SABProcEnum)
DRV - [2004/11/16 10:03:52 | 000,108,791 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2004/04/19 16:01:00 | 000,006,656 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\gflmouhid.sys -- (genmcmnUSB)
DRV - [2003/05/30 19:45:16 | 000,477,403 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vpctcom.sys -- (Vpctcom)
DRV - [2003/05/30 18:50:46 | 000,690,973 | ---- | M] (PCTEL, INC.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vmodem.sys -- (Vmodem)
DRV - [2003/05/28 13:08:12 | 000,066,111 | ---- | M] (PCtel, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\vvoice.sys -- (Vvoice)
DRV - [2003/02/24 16:30:02 | 000,135,292 | ---- | M] (PCTEL, INC.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ptserial.sys -- (Ptserial)
DRV - [2003/01/23 17:37:50 | 000,017,217 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2003/01/20 23:44:36 | 000,569,984 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2002/04/05 16:00:54 | 000,073,827 | ---- | M] (3Com Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\el90Xbc5.SYS -- (EL90XBC)
DRV - [2001/08/17 05:20:04 | 000,096,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ac97intc.sys -- (ac97intc) Intel® 82801 Audio Driver Install Service (WDM)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 40 9B 84 7E BB 3D CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Yahoo"
FF - prefs.js..browser.search.order.1: "Yahoo"
FF - prefs.js..browser.search.order.2: "Yahoo"
FF - prefs.js..browser.search.param.yahoo-fr: "megaup"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "megaup"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://att.my.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 49
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..keyword.URL: "http://search.yahoo....8&fr=megaup&p="

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/18 16:43:57 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/19 14:41:53 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/04/19 15:14:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins

[2008/11/24 12:56:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Mozilla\Extensions
[2010/06/18 01:47:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions
[2010/04/27 02:32:09 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/04/16 11:34:42 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/05/02 02:34:53 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2009/11/15 22:50:16 | 000,000,000 | ---D | M] (Adobe DLM (powered by getPlus®)) -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2010/03/23 21:44:20 | 000,002,131 | ---- | M] () -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\searchplugins\bmrk-file-host-search.xml
[2009/01/14 09:37:17 | 000,002,305 | ---- | M] () -- C:\Documents and Settings\Dan\Application Data\Mozilla\Firefox\Profiles\x4mqti0z.default\searchplugins\downloadhelper-adult-videos.xml
[2010/06/18 01:47:57 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/04/16 11:44:17 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 17:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2010/01/01 12:56:32 | 000,370,499 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 123haustiereundmehr.com
O1 - Hosts: 12797 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Acrobat Assistant 7.0] C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ATIModeChange] C:\WINDOWS\System32\Ati2mdxx.exe (ATI Technologies, Inc.)
O4 - HKLM..\Run: [COMODO Internet Security] C:\Program Files\COMODO\COMODO Internet Security\cfp.exe (COMODO)
O4 - HKLM..\Run: [MSSE] c:\Program Files\Microsoft Security Essentials\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [PCTVOICE] C:\WINDOWS\System32\pctspk.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk = C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe ()
O4 - Startup: C:\Documents and Settings\Dan\Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 255
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Convert link target to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert link target to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selected links to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert selection to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to existing PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll (Adobe Systems Incorporated)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: akamai.net ([a248.e] https in Trusted sites)
O15 - HKCU\..Trusted Domains: bitdefender.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Domains: netflame.cc ([ssl-hints] https in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.micr.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitd...can8/oscan8.cab (Reg Error: Key error.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.mi...b?1227541551745 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1227541633462 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset...lineScanner.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O20 - AppInit_DLLs: (C:\WINDOWS\system32\guard32.dll) - C:\WINDOWS\system32\guard32.dll (COMODO)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dan\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/11/24 03:53:07 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{8395f2f5-4aa9-11de-9f55-0020a6524190}\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run
O33 - MountPoints2\F\Shell\AutoRun\command - "" = "Install FreeAgent Tools.exe" /run
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sasnative32) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/11/15 16:34:22 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: aux3 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi3 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer3 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: msacm.ac3filter - C:\WINDOWS\System32\ac3filter.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.ffds - C:\WINDOWS\System32\ff_vfw.dll ()
Drivers32: vidc.I420 - C:\WINDOWS\System32\i420vfw.dll (www.helixcommunity.org)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.tscc - C:\PROGRA~1\MpcStar\Codecs\tscc\tsccvid.dll File not found
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yv12 - C:\WINDOWS\System32\yv12vfw.dll (www.helixcommunity.org)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave2 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave3 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (17746534284132352)

========== Files/Folders - Created Within 90 Days ==========

[2010/06/18 13:32:39 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dan\Recent
[2010/06/18 13:02:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\COMODO
[2010/06/18 12:58:39 | 000,000,000 | ---D | C] -- C:\Program Files\COMODO
[2010/06/18 12:49:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo Downloader
[2010/06/18 12:22:03 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Essentials
[2010/06/18 02:55:54 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/06/10 17:19:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/06/10 17:19:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/06/04 00:01:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
[2010/06/04 00:01:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/06/04 00:00:40 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/06/01 19:04:33 | 000,000,000 | ---D | C] -- C:\_OTS
[2010/05/30 15:02:10 | 000,000,000 | ---D | C] -- C:\_OTL
[2010/05/30 01:25:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Application Data\Malwarebytes
[2010/05/30 01:25:19 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/05/30 01:25:17 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/05/30 01:25:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/05/30 01:25:16 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/22 03:49:34 | 000,000,000 | ---D | C] -- C:\Program Files\MediaInfo
[2010/05/13 02:34:24 | 000,000,000 | ---D | C] -- C:\Program Files\Avidemux 2.5
[2010/05/13 02:20:32 | 000,719,872 | ---- | C] (Abysmal Software) -- C:\WINDOWS\System32\devil.dll
[2010/05/13 02:20:30 | 000,369,152 | ---- | C] (The Public) -- C:\WINDOWS\System32\avisynth.dll
[2010/05/13 02:20:26 | 000,070,656 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\yv12vfw.dll
[2010/05/13 02:20:26 | 000,070,656 | ---- | C] (www.helixcommunity.org) -- C:\WINDOWS\System32\i420vfw.dll
[2010/05/13 02:20:23 | 000,000,000 | ---D | C] -- C:\Program Files\AviSynth 2.5
[2010/05/13 02:19:22 | 000,278,528 | ---- | C] (Real Networks, Inc) -- C:\WINDOWS\System32\pncrt.dll
[2010/05/13 02:19:22 | 000,216,064 | RHS- | C] (MONOGRAM Multimedia, s.r.o.) -- C:\WINDOWS\System32\nbDX.dll
[2010/05/13 02:19:22 | 000,186,880 | RHS- | C] (RadLight) -- C:\WINDOWS\System32\RLOgg.ax
[2010/05/13 02:19:22 | 000,179,200 | RHS- | C] (Gabest) -- C:\WINDOWS\System32\DiracSplitter.ax
[2010/05/13 02:19:22 | 000,169,472 | RHS- | C] (Gabest) -- C:\WINDOWS\System32\MatroskaDX.ax
[2010/05/13 02:19:22 | 000,163,328 | RHS- | C] (Gabest) -- C:\WINDOWS\System32\flvDX.dll
[2010/05/13 02:19:22 | 000,161,792 | RHS- | C] (Gabest) -- C:\WINDOWS\System32\RealMediaDX.ax
[2010/05/13 02:19:22 | 000,092,672 | RHS- | C] (RadLight) -- C:\WINDOWS\System32\RLVorbisDec.ax
[2010/05/13 02:19:22 | 000,090,112 | RHS- | C] (-) -- C:\WINDOWS\System32\TTADSSplitter.ax
[2010/05/13 02:19:22 | 000,090,112 | RHS- | C] (-) -- C:\WINDOWS\System32\TTADSDecoder.ax
[2010/05/13 02:19:22 | 000,067,584 | RHS- | C] (RadLight, LLC) -- C:\WINDOWS\System32\RLTheoraDec.ax
[2010/05/13 02:19:22 | 000,031,232 | RHS- | C] (Hans Mayerl) -- C:\WINDOWS\System32\msfDX.dll
[2010/05/13 02:19:21 | 000,123,904 | RHS- | C] (CoreCodec) -- C:\WINDOWS\System32\AVCDX.ax
[2010/05/13 02:19:11 | 000,000,000 | ---D | C] -- C:\Program Files\eRightSoft
[2010/05/13 01:10:28 | 000,000,000 | ---D | C] -- C:\Program Files\Easy Video Joiner
[2010/05/12 15:32:21 | 000,000,000 | ---D | C] -- C:\Program Files\Smart Projects
[2010/05/07 13:09:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\2wire Gateway
[2010/04/29 14:00:50 | 000,000,000 | ---D | C] -- C:\Program Files\AirPort
[2010/04/27 02:27:35 | 000,000,000 | ---D | C] -- C:\mfe
[2010/04/26 00:59:47 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/19 14:49:20 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/19 14:48:04 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/19 14:48:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/19 14:31:11 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/18 23:18:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\G to G Malware and Spyware Cleaning Guide & Programs
[2010/04/18 12:21:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Kaspersky
[2010/04/18 04:20:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Adobe Photoshop CS2 Updates
[2010/04/17 02:59:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Adobe Acrobat 7.0 Professional Updates
[2010/04/16 11:45:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/04/16 11:44:56 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/04/01 01:41:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Pics
[2010/03/29 23:52:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Trackball World
[2010/03/29 23:51:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Dan\Desktop\Hitachi DeskStar Harddrive
[2004/11/24 12:25:52 | 000,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\drvc.dll

========== Files - Modified Within 90 Days ==========

[2010/06/18 15:05:50 | 000,000,374 | -H-- | M] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2010/06/18 14:58:54 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/18 14:58:02 | 000,002,335 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
[2010/06/18 14:57:55 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/06/18 14:57:47 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/18 14:56:49 | 009,437,184 | -H-- | M] () -- C:\Documents and Settings\Dan\NTUSER.DAT
[2010/06/18 14:56:49 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Dan\ntuser.ini
[2010/06/18 13:40:29 | 000,000,845 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\OTL.exe.lnk
[2010/06/18 13:00:01 | 000,001,653 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\COMODO Firewall.lnk
[2010/06/18 11:50:56 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\wuaucpl.cpl.manifest
[2010/06/18 11:50:56 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\WindowsShell.Manifest
[2010/06/18 11:50:56 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\cdplayer.exe.manifest
[2010/06/18 11:50:55 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\sapi.cpl.manifest
[2010/06/18 11:50:55 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\nwc.cpl.manifest
[2010/06/18 11:50:55 | 000,000,749 | RH-- | M] () -- C:\WINDOWS\System32\ncpa.cpl.manifest
[2010/06/18 11:50:46 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/06/18 11:50:46 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2010/06/18 03:53:23 | 000,000,852 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\gmer.exe.lnk
[2010/06/18 02:55:55 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\NTREGOPT.lnk
[2010/06/18 02:55:55 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\ERUNT.lnk
[2010/06/08 16:23:06 | 000,228,000 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/06/08 16:19:37 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/06/08 16:08:43 | 000,444,596 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/06/08 16:08:42 | 000,506,244 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/06/08 16:08:42 | 000,072,306 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/06/08 15:45:08 | 000,000,619 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/06/04 00:00:51 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/30 14:57:02 | 000,000,845 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\OTS.exe.lnk
[2010/05/30 01:25:22 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/29 02:10:50 | 000,000,845 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\TFC.exe.lnk
[2010/05/28 21:44:07 | 000,000,170 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\G to G Malware Removal Forum.URL
[2010/05/26 08:58:03 | 000,001,548 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\CCleaner.lnk
[2010/05/22 03:49:35 | 000,000,561 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\MediaInfo.lnk
[2010/05/13 02:35:03 | 000,000,737 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Avidemux 2.5.lnk
[2010/05/13 02:19:25 | 000,001,665 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPER ©.lnk
[2010/05/13 01:10:29 | 000,000,663 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\Easy Video Joiner.lnk
[2010/05/12 23:35:16 | 000,015,360 | ---- | M] () -- C:\Documents and Settings\Dan\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/05/12 15:32:24 | 000,000,761 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\IsoBuster.lnk
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/26 03:40:48 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/04/15 11:03:40 | 000,000,080 | -HS- | M] () -- C:\WINDOWS\setup_9.0.0.722_15.04.2010_17-11drv.spi
[2010/04/06 16:48:20 | 000,000,827 | ---- | M] () -- C:\Documents and Settings\Dan\Desktop\USEC Radix.lnk
[2010/04/06 09:06:26 | 000,023,040 | ---- | M] () -- C:\Documents and Settings\Dan\My Documents\Dad's Meds small 100316.doc
[2010/04/04 14:36:36 | 000,002,862 | ---- | M] () -- C:\WINDOWS\wininit.ini

========== Files Created - No Company Name ==========

[2010/06/18 13:40:29 | 000,000,845 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\OTL.exe.lnk
[2010/06/18 13:00:01 | 000,001,653 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\COMODO Firewall.lnk
[2010/06/18 12:27:32 | 000,000,374 | -H-- | C] () -- C:\WINDOWS\tasks\MpIdleTask.job
[2010/06/18 03:53:23 | 000,000,852 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\gmer.exe.lnk
[2010/06/18 02:55:55 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\NTREGOPT.lnk
[2010/06/18 02:55:55 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\ERUNT.lnk
[2010/06/08 15:40:28 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/06/04 00:00:51 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/05/30 14:57:02 | 000,000,845 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\OTS.exe.lnk
[2010/05/30 01:25:22 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/29 02:10:50 | 000,000,845 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\TFC.exe.lnk
[2010/05/28 21:37:22 | 000,000,170 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\G to G Malware Removal Forum.URL
[2010/05/22 03:55:02 | 000,000,561 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\MediaInfo.lnk
[2010/05/13 02:35:03 | 000,000,737 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Avidemux 2.5.lnk
[2010/05/13 02:20:27 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2010/05/13 02:19:25 | 000,001,665 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPER ©.lnk
[2010/05/13 02:19:22 | 000,120,832 | RHS- | C] () -- C:\WINDOWS\System32\MPCDx.ax
[2010/05/13 02:19:22 | 000,097,280 | RHS- | C] () -- C:\WINDOWS\System32\FLACDX.ax
[2010/05/13 02:19:22 | 000,051,712 | RHS- | C] () -- C:\WINDOWS\System32\RLSpeexDec.ax
[2010/05/13 02:19:21 | 000,227,328 | RHS- | C] () -- C:\WINDOWS\System32\ac3DX.ax
[2010/05/13 02:19:21 | 000,081,920 | RHS- | C] () -- C:\WINDOWS\System32\aac_parser.ax
[2010/05/13 01:10:29 | 000,000,663 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\Easy Video Joiner.lnk
[2010/05/12 15:32:24 | 000,000,761 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\IsoBuster.lnk
[2010/04/15 11:03:40 | 000,000,080 | -HS- | C] () -- C:\WINDOWS\setup_9.0.0.722_15.04.2010_17-11drv.spi
[2010/04/04 10:19:30 | 000,001,548 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\CCleaner.lnk
[2010/03/25 11:39:26 | 000,000,827 | ---- | C] () -- C:\Documents and Settings\Dan\Desktop\USEC Radix.lnk
[2009/12/15 18:45:52 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\pamondrv.sys
[2009/12/15 17:45:16 | 000,043,408 | ---- | C] () -- C:\WINDOWS\System32\drivers\fsRamDsk.sys
[2009/12/15 17:45:16 | 000,000,276 | ---- | C] () -- C:\WINDOWS\RamDriveSetup.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2009/04/22 01:27:07 | 000,043,520 | ---- | C] () -- C:\WINDOWS\System32\drivers\pamondrv.sys.REN
[2009/04/22 01:26:37 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\setupnt.dll
[2009/02/19 16:10:05 | 000,000,038 | ---- | C] () -- C:\WINDOWS\AviSplitter.INI
[2009/01/05 11:17:38 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI
[2008/12/19 08:15:58 | 004,338,246 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2008/12/17 10:41:18 | 000,884,237 | ---- | C] () -- C:\WINDOWS\System32\ff_x264.dll
[2008/12/17 10:22:58 | 000,093,184 | ---- | C] () -- C:\WINDOWS\System32\ff_wmv9.dll
[2008/12/17 10:22:48 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/17 10:17:34 | 000,239,247 | ---- | C] () -- C:\WINDOWS\System32\ff_theora.dll
[2008/12/17 09:59:54 | 000,560,802 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2008/12/11 04:27:02 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/12/04 05:12:13 | 000,002,862 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/11/24 21:28:50 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS78.DLL
[2008/11/24 21:13:38 | 000,290,919 | ---- | C] () -- C:\WINDOWS\System32\pythoncom21.dll
[2008/11/24 21:13:38 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\PyWinTypes21.dll
[2008/11/24 21:10:42 | 000,096,768 | ---- | C] () -- C:\WINDOWS\SlantAdj.dll
[2008/11/24 21:10:42 | 000,000,072 | ---- | C] () -- C:\WINDOWS\System32\epDPE.ini
[2008/11/24 21:02:51 | 000,000,196 | ---- | C] () -- C:\WINDOWS\EPSON 1260_1660 Installer.ini
[2008/11/24 20:23:50 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\mdmmoh.dll
[2008/11/24 05:52:06 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/10/03 10:50:54 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\ff_mpeg2enc.dll
[2004/04/19 16:01:00 | 000,006,656 | ---- | C] () -- C:\WINDOWS\System32\drivers\gflmouhid.sys
[2003/01/07 00:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2008/11/24 21:28:40 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/04/18 07:30:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Seagate
[2009/03/29 17:53:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2010/04/19 14:51:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/25 15:12:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
[2009/04/20 12:13:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2009/01/05 11:17:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\EPSON
[2009/07/09 14:22:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\OfficeUpdate12
[2008/12/10 05:32:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Template
[2008/11/26 03:10:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\Thunderbird
[2010/06/18 01:17:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dan\Application Data\uTorrent
[2010/06/18 15:05:50 | 000,000,374 | -H-- | M] () -- C:\WINDOWS\Tasks\MpIdleTask.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2008/11/24 03:53:07 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/11/15 17:24:21 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/11/24 03:53:07 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/12/15 17:45:30 | 000,000,201 | ---- | M] () -- C:\inVHDDrvLog.dat
[2008/11/24 03:53:07 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2008/11/24 03:53:07 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2009/11/15 17:15:01 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2009/11/15 18:01:02 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/06/18 14:57:42 | 1610,612,736 | -HS- | M] () -- C:\pagefile.sys

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2005/08/26 13:00:00 | 000,020,992 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPD78.DLL
[2005/08/26 13:00:00 | 000,059,392 | ---- | M] (CANON INC.) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\CNMPP78.DLL
[2008/07/06 05:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2009/11/15 08:12:29 | 004,194,304 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/11/15 07:57:07 | 000,262,144 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2009/11/15 08:12:29 | 032,243,712 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/11/15 08:12:29 | 007,077,888 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2008/04/14 06:42:10 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/14 06:42:12 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll
< End of report >
  • 0

#15
Elliot
Posted 18 June 2010 - 06:08 PM

Elliot

    Retired Staff

  • Expert
  • 3,769 posts
Hello again, whynot53!

No offense, but I'm sorry to see you back so soon. :)

Let's see if we can't figure out just what is going on here.


Step 1:

OTL

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: netflame.cc ([ssl-hints] https in Trusted sites)
[2010/06/18 11:50:46 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2010/06/18 11:50:46 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Then post a new OTL log

Step 2:

ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.


Step 3:

Reply

Things I need to see in your reply:
  • OTL log
  • ComboFix log
Thanks!

Elster
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP