Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Artemis!

Started by Steve_gts , Jul 28 2010 05:38 AM

  • This topic is locked This topic is locked

#1
Steve_gts
Posted 28 July 2010 - 05:38 AM

Steve_gts

    Member

  • Member
  • PipPip
  • 29 posts
Hi,

My PC is really struggling, I need help!

1. My PC has been getting progressively slower recently. I have been trying to sort it out myself, so have gone through the malware removal process and that found and removed a few things (including trojan.agent/gen backdoor.bot[zbot] and malware.trace), I also had a stage a couple of weeks ago where loads of programs would be shown in the task manager 00001 00002 00003 etc (and other names) but I could manually stop those. I tried the redirect removal, but OTM was just crashing the PC,then did some of the prevention measures, but the problems are still not solved. I have run numerous scans etc over the last few days but it's just getting worse, now it is unbearably slow in Safe Mode and crashes and has errors on normal startup. I have run the following, some I already had, others were found through this forum, but it's got to the point where I need help.

McAfee scans
Avast Scans (now removed from PC)
Adaware Scans
Malwarebytes Scans
Superantispyware Scans
Win ASO Registry Optimiser

I also have the following on my desktop now, some ran some didn't:
ERUNT
NTREGOPT
TFC
OTM
GooredFix
TDSKiller
OTL
GMER

I have attached below the OTL reports, after many attempts I have now managed to get one from GMER and added it to the bottom of this post.

Today I am also getting a message on startup sometimes saying "windows has experienced a serious error" then it sends a report to MS. In safe mode I am also having a problem where McAfee is using all the CPU, so anything else takes an age to run.


OTL logfile created on: 28/07/2010 09:06:41 - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 306.00 Mb Available Physical Memory | 30.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 116.30 Gb Free Space | 78.03% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEVEHP
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

2.
========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
PRC - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe (Zetera Corporation)
PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
MOD - c:\Program Files\McAfee\SiteAdvisor\sahook.dll (McAfee, Inc.)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (MSK80Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (ACT! Scheduler) -- C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe (Sage Software, Inc.)
SRV - (MSSQL$ACT7) SQL Server (ACT7) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (QSCopyEngine) -- C:\Program Files\Iomega\QuikProtect\QpMonitor.exe ()
SRV - (SQLWriter) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
SRV - (SQLBrowser) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
SRV - (MSSQLServerADHelper) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
SRV - (Z-SANService) -- C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe (Zetera Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (SABProcEnum) -- C:\Program Files\Internet Explorer\SABProcEnum.sys File not found
DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found
DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (QsFsFltr) -- C:\WINDOWS\system32\drivers\QsFsFltr.sys (Windows ® Codename Longhorn DDK provider)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (SndTDriverV32) -- C:\WINDOWS\system32\drivers\SndTDriverV32.sys (Windows ® 2000/XP)
DRV - (MovRVDrv32) -- C:\WINDOWS\system32\drivers\MovRVDrv32.sys (Windows ® 2000 DDK provider)
DRV - (SFSZ) -- C:\WINDOWS\system32\drivers\sfsz.sys (DataPlow, Incorporated)
DRV - (ZetBus) -- C:\WINDOWS\system32\drivers\ZetBus.sys (Zetera Corporation)
DRV - (ZetSFD) -- C:\WINDOWS\system32\DRIVERS\ZetSFD.sys (Zetera Corporation)
DRV - (ZetMPD) -- C:\WINDOWS\system32\drivers\ZetMPD.sys (Zetera Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (mcdbus) -- C:\WINDOWS\system32\drivers\mcdbus.sys (MagicISO, Inc.)
DRV - (SE27bus) Sony Ericsson Device 039 Driver driver (WDM) -- C:\WINDOWS\system32\drivers\SE27bus.sys (MCCI)
DRV - (ctprxy2k) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (hap17v2k) -- C:\WINDOWS\system32\drivers\haP17v2k.sys (Creative Technology Ltd)
DRV - (ha10kx2k) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (hap16v2k) -- C:\WINDOWS\system32\drivers\haP16v2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (emupia) -- C:\WINDOWS\system32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (ctac32k) -- C:\WINDOWS\system32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (SE27mdm) -- C:\WINDOWS\system32\drivers\SE27mdm.sys (MCCI)
DRV - (SE27mdfl) -- C:\WINDOWS\system32\drivers\SE27mdfl.sys (MCCI)
DRV - (se27unic) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM) -- C:\WINDOWS\system32\drivers\se27unic.sys (MCCI)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ctdvda2k) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (iAimFP4) -- C:\WINDOWS\system32\drivers\wVchNTxx.sys (Intel® Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\system32\drivers\wSiINTxx.sys (Intel® Corporation)
DRV - (iAimTV5) -- C:\WINDOWS\system32\drivers\wATV10nt.sys (Intel® Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys (Intel® Corporation)
DRV - (iAimTV6) -- C:\WINDOWS\system32\drivers\wATV06nt.sys (Intel® Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\system32\drivers\wATV04nt.sys (Intel® Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\system32\drivers\wATV02NT.sys (Intel® Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\system32\drivers\wATV01nt.sys (Intel® Corporation)
DRV - (iAimFP7) -- C:\WINDOWS\system32\drivers\wADV09NT.sys (Intel® Corporation)
DRV - (iAimFP5) -- C:\WINDOWS\system32\drivers\wADV07nt.sys (Intel® Corporation)
DRV - (iAimFP6) -- C:\WINDOWS\system32\drivers\wADV08NT.sys (Intel® Corporation)
DRV - (i81x) -- C:\WINDOWS\system32\drivers\i81xnt5.sys (Intel® Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\system32\drivers\wADV01nt.sys (Intel® Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\system32\drivers\wADV02NT.sys (Intel® Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\system32\drivers\wADV05NT.sys (Intel® Corporation)
DRV - (adpu320) -- C:\WINDOWS\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (Symmpi) -- C:\WINDOWS\system32\DRIVERS\symmpi.sys (LSI Logic)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ac97intc) Intel® 82801 Audio Driver Install Service (WDM) -- C:\WINDOWS\system32\drivers\ac97intc.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.co.uk/ig?hl=en [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.defaulturl: "http://uk.search.yah...r=ytff-sunm&p="
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-sunm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-sunm"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.19
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1
FF - prefs.js..extensions.enabledItems: [email protected]:0.51
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.10
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://uk.search.yah...h?fr=mcafee&p="
FF - prefs.js..network.proxy.http_por: ""


FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/06/02 10:16:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/10/30 09:04:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/26 10:54:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/27 15:25:21 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/07/22 16:12:05 | 000,000,000 | ---D | M]

[2010/01/20 15:07:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/01/20 15:07:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/07/09 12:47:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{ea278cf8-93cd-484f-b951-57360482d33a}
[2009/03/27 10:56:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\[email protected]
[2010/07/27 16:25:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions
[2010/04/27 19:29:02 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/05 08:22:27 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/07/15 19:42:59 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}(2)
[2010/07/27 15:26:02 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/12/22 15:01:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2010/06/15 14:13:13 | 000,000,000 | ---D | M] (Page Speed) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
[2008/07/15 19:42:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\amin.eft_PhProxy@gmail(2).com
[2008/07/15 19:42:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected](2).org
[2008/10/08 10:51:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected]
[2010/05/10 08:59:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected]
[2009/08/13 13:05:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected](2).jung
[2010/06/14 14:34:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected]
[2008/07/15 19:43:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\seo4firefox@seobook(2).com
[2009/08/13 13:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\seo4firefox@seobook(3).com
[2010/04/12 16:11:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected]
[2007/03/27 14:47:44 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\searchplugins\siteadvisor.xml
[2010/07/27 16:25:29 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/03/27 14:42:42 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/07/27 15:34:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2008/07/15 19:42:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\Proxybar@Proxy-trash
[2010/04/27 17:16:24 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/07/27 15:33:35 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/27 15:24:32 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2010/07/02 13:03:02 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2010/07/27 17:32:09 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100514083546.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile) - {D5233FCD-D258-4903-89B8-FB1568E7413D} - Reg Error: Value error. File not found
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/...UI.cab55579.cab (MSN Games – Matchmaking)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative....026/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/...dy.cab55579.cab (MSN Games – Buddy Invite)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} http://zone.msn.com/...at.cab55579.cab (MSN Games – Game Chat)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1168334057234 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...k.cab102118.cab (MSN Games - Installer)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} https://bis.eu.black...ls/TOImport.cab (TeamOn Import Object)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} http://zone.msn.com/...xy.cab55579.cab (MSN Games – Game Communicator)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://sageuk.webex...bex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative....15028/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} http://zone.msn.com/...on.cab64162.cab (MSN Games – Backgammon)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\HPQ1280h.BMP
O24 - Desktop BackupWallPaper: C:\WINDOWS\HPQ1280h.BMP
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{5B6CD562-B451-4338-A1DB-0D7929D82601}\Shell - "" = AutoRun
O33 - MountPoints2\{5B6CD562-B451-4338-A1DB-0D7929D82601}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\Shell - "" = AutoRun
O33 - MountPoints2\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: aux - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midi1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: midimapper - C:\WINDOWS\System32\midimap.dll (Microsoft Corporation)
Drivers32: mixer - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: mixer1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: MSACM.CEGSM - C:\WINDOWS\System32\mobileV.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.imaadpcm - C:\WINDOWS\System32\imaadp32.acm (Microsoft Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.msadpcm - C:\WINDOWS\System32\msadp32.acm (Microsoft Corporation)
Drivers32: msacm.msaudio1 - C:\WINDOWS\System32\msaud32.acm (Microsoft Corporation)
Drivers32: msacm.msg711 - C:\WINDOWS\System32\msg711.acm (Microsoft Corporation)
Drivers32: msacm.msg723 - C:\WINDOWS\System32\msg723.acm (Microsoft Corporation)
Drivers32: msacm.msgsm610 - C:\WINDOWS\System32\msgsm32.acm (Microsoft Corporation)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co....thors/VA012897/)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.I420 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: vidc.iyuv - C:\WINDOWS\System32\iyuv_32.dll (Microsoft Corporation)
Drivers32: vidc.M261 - C:\WINDOWS\System32\msh261.drv (Microsoft Corporation)
Drivers32: vidc.M263 - C:\WINDOWS\System32\msh263.drv (Microsoft Corporation)
Drivers32: vidc.mrle - C:\WINDOWS\System32\msrle32.dll (Microsoft Corporation)
Drivers32: vidc.msvc - C:\WINDOWS\System32\msvidc32.dll (Microsoft Corporation)
Drivers32: vidc.uyvy - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yuy2 - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvu9 - C:\WINDOWS\System32\tsbyuv.dll (Microsoft Corporation)
Drivers32: vidc.yvyu - C:\WINDOWS\System32\msyuv.dll (Microsoft Corporation)
Drivers32: wave - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\wdmaud.drv (Microsoft Corporation)
Drivers32: wavemapper - C:\WINDOWS\System32\msacm32.drv (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/27 20:13:19 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/27 17:48:44 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/27 17:27:50 | 001,170,256 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/07/27 17:26:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\GooredFix Backups
[2010/07/27 17:25:30 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2010/07/27 17:12:01 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/07/27 17:09:38 | 000,520,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2010/07/27 16:43:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\OpenDNS Updater
[2010/07/27 16:43:42 | 000,000,000 | ---D | C] -- C:\Program Files\OpenDNS Updater
[2010/07/27 15:33:58 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/07/27 15:33:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/07/27 15:33:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/07/27 15:33:58 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/27 15:25:21 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010/07/27 15:05:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\geekstogo sys restore
[2010/07/27 12:06:00 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/27 12:05:58 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/27 12:01:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/27 12:01:27 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/27 11:46:36 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/07/23 17:28:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Bell Images
[2010/07/22 16:12:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RetroExp
[2010/07/22 13:14:21 | 000,013,824 | R--- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\QsFsFltr.sys
[2010/07/22 13:11:48 | 000,000,000 | ---D | C] -- C:\Program Files\Iomega
[2010/07/14 08:27:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/07/12 12:25:41 | 000,000,000 | ---D | C] -- C:\Program Files\WinASO
[2010/06/28 17:49:31 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/06/28 17:49:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2006/08/11 15:56:28 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

========== Files - Modified Within 30 Days ==========

[2010/07/28 08:51:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/28 08:50:59 | 000,000,742 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/07/28 08:26:15 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/07/28 08:26:04 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/07/28 08:25:46 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/28 08:25:44 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/07/28 03:39:19 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/07/28 03:36:53 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/07/28 03:36:36 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/07/28 03:36:14 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\BWWI.job
[2010/07/28 03:36:14 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/07/28 03:36:02 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/07/28 03:35:54 | 1072,222,208 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/28 03:24:26 | 011,796,480 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/07/28 03:24:26 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/07/28 03:24:14 | 004,314,174 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/07/28 03:03:23 | 000,553,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/28 03:03:23 | 000,479,486 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/28 03:03:23 | 000,085,016 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/27 17:52:33 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\z5zt5jcg.exe
[2010/07/27 17:48:45 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/27 17:32:09 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/07/27 17:26:09 | 001,108,900 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2010/07/27 17:25:31 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2010/07/27 17:09:40 | 000,520,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2010/07/27 17:05:57 | 000,422,091 | ---- | M] () -- C:\Documents and Settings\Administrator\.ranktracker.properties
[2010/07/27 16:42:30 | 000,225,336 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\OpenDNS-Updater-2.2.1.exe
[2010/07/27 15:33:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/07/27 15:33:35 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/07/27 15:33:35 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/07/27 15:33:35 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/27 15:33:34 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/27 15:25:22 | 000,000,901 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk
[2010/07/27 14:59:32 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A7BFBBAD-82C4-48E6-AE23-830EC8F01B93}.job
[2010/07/27 14:51:33 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/27 14:50:29 | 054,835,272 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\setup_av_free.exe
[2010/07/27 12:06:02 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/27 12:01:28 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/07/27 12:01:28 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/07/27 11:46:38 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/07/27 09:43:57 | 054,835,272 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\setup_av_free.exe
[2010/07/26 16:34:07 | 000,202,723 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Horizon Pump Clip.jpg
[2010/07/26 14:56:31 | 001,942,236 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Great Bustard.jpg
[2010/07/26 14:56:26 | 001,928,595 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spire Ale.jpg
[2010/07/26 14:50:26 | 000,025,508 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\stonehenge-pigswill.jpg
[2010/07/26 14:49:41 | 000,031,040 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\6x-pump-clip.jpg
[2010/07/23 12:07:56 | 000,002,516 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/07/23 08:49:44 | 000,000,212 | RHS- | M] () -- C:\boot.ini
[2010/07/22 16:11:12 | 001,170,256 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/07/22 15:50:02 | 000,176,637 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Sales site stuff.zip
[2010/07/20 16:00:12 | 000,442,125 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\afiliate.pdf
[2010/07/19 13:08:20 | 000,000,760 | ---- | M] () -- C:\WINDOWS\cedt.INI
[2010/07/16 14:15:44 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office FrontPage 2003 (2).lnk
[2010/07/16 12:37:07 | 000,053,008 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\template receipt 100716.pdf
[2010/07/16 10:50:40 | 000,045,564 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\PC World HD.pdf
[2010/07/15 12:49:38 | 001,743,360 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\The Bell Images.doc
[2010/07/12 12:45:00 | 011,796,480 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat.bak
[2010/07/12 12:43:03 | 000,000,058 | ---- | M] () -- C:\WINDOWS\RegDefrag.ini
[2010/07/12 12:25:47 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\WinASO Registry Optimizer.lnk
[2010/07/03 11:25:22 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/07/02 09:05:30 | 000,002,322 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2010/07/02 09:05:28 | 000,002,344 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Google Chrome.lnk
[2010/06/30 08:20:22 | 000,053,548 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Template Receipt the bell.pdf
[2010/06/28 12:18:17 | 000,047,726 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\The Bell Hosting Confirmation.pdf

========== Files Created - No Company Name ==========

[2010/07/27 17:52:31 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\z5zt5jcg.exe
[2010/07/27 17:26:01 | 001,108,900 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2010/07/27 16:42:28 | 000,225,336 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\OpenDNS-Updater-2.2.1.exe
[2010/07/27 15:25:22 | 000,000,901 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk
[2010/07/27 14:53:26 | 1072,222,208 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/27 14:41:33 | 054,835,272 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\setup_av_free.exe
[2010/07/27 12:06:02 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/27 12:01:28 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/07/27 12:01:28 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/07/27 11:40:00 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/27 11:34:32 | 000,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/07/27 09:42:34 | 054,835,272 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\setup_av_free.exe
[2010/07/26 16:34:07 | 000,202,723 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Horizon Pump Clip.jpg
[2010/07/26 14:56:30 | 001,942,236 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Great Bustard.jpg
[2010/07/26 14:56:25 | 001,928,595 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spire Ale.jpg
[2010/07/26 14:50:50 | 000,025,508 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\stonehenge-pigswill.jpg
[2010/07/26 14:49:59 | 000,031,040 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\6x-pump-clip.jpg
[2010/07/22 15:50:02 | 000,176,637 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Sales site stuff.zip
[2010/07/20 16:00:03 | 000,442,125 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\afiliate.pdf
[2010/07/16 12:37:04 | 000,053,008 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\template receipt 100716.pdf
[2010/07/16 10:50:41 | 000,045,564 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\PC World HD.pdf
[2010/07/15 12:49:38 | 001,743,360 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\The Bell Images.doc
[2010/07/12 12:43:47 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.new.LOG
[2010/07/12 12:43:03 | 000,000,058 | ---- | C] () -- C:\WINDOWS\RegDefrag.ini
[2010/07/12 12:25:47 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\WinASO Registry Optimizer.lnk
[2010/06/30 08:20:14 | 000,053,548 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Template Receipt the bell.pdf
[2010/06/28 12:18:07 | 000,047,726 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\The Bell Hosting Confirmation.pdf
[2010/04/28 15:37:44 | 000,000,760 | ---- | C] () -- C:\WINDOWS\cedt.INI
[2010/04/26 10:53:56 | 000,093,184 | RHS- | C] () -- C:\WINDOWS\System32\winfaxe.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/08/13 18:58:59 | 000,163,927 | ---- | C] () -- C:\WINDOWS\System32\ZSANCoInst.dll
[2007/10/08 12:50:57 | 000,156,160 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2007/10/08 12:50:57 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2007/06/05 17:55:05 | 000,000,243 | ---- | C] () -- C:\WINDOWS\ActiveAct.INI
[2007/05/16 16:44:01 | 000,018,764 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2007/02/23 12:09:49 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/01/11 14:16:02 | 000,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2007/01/11 14:16:02 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2007/01/11 14:16:02 | 000,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/01/08 13:40:00 | 000,000,742 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/22 13:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 13:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 13:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 13:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 13:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 13:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 13:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/10/09 13:39:28 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/10/09 13:35:29 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/10/09 13:33:42 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/10/03 22:33:54 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2006/08/11 15:57:18 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2006/05/23 13:40:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2006/02/24 16:54:42 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\deskMenu2.dll
[2005/06/16 19:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL
[2003/09/17 21:00:55 | 000,266,327 | ---- | C] () -- C:\WINDOWS\System32\ADErrorHandling.dll
[2002/05/08 10:12:22 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== LOP Check ==========

[2008/05/13 09:44:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\AceBIT
[2010/02/22 13:26:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\ACT
[2007/01/08 18:30:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\BitTorrent
[2010/06/15 11:07:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\C8D1D49FF8E60DCC0ED4D06536BF3598
[2007/05/16 16:47:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\deskPDF
[2008/06/02 09:33:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\FileMaker
[2007/03/08 15:34:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Good Keywords v2
[2010/06/15 17:42:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IBP
[2007/01/05 09:52:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Interact Commerce
[2010/02/23 10:01:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\IsolatedStorage
[2007/01/17 18:38:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Leadertech
[2009/07/28 09:15:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OfficeUpdate12
[2010/07/27 16:43:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\OpenDNS Updater
[2009/12/07 17:52:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Opera
[2007/05/28 14:12:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Propellerhead Software
[2009/08/07 17:18:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Research In Motion
[2010/01/20 15:05:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Thunderbird
[2008/01/23 16:01:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\webex
[2009/08/13 13:10:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\YouSendIt
[2008/05/13 09:44:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AceBIT
[2010/02/22 13:43:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Act
[2010/07/27 14:51:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2008/03/12 15:58:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/01/19 14:52:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2007/05/28 14:12:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Propellerhead Software
[2010/07/22 16:21:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RetroExp
[2008/12/11 12:19:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sage Software, Inc
[2010/04/28 08:45:57 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
[2010/07/28 08:51:24 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2010/07/28 03:36:14 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\Tasks\BWWI.job
[2010/07/28 03:39:19 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2010/07/27 14:59:32 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{A7BFBBAD-82C4-48E6-AE23-830EC8F01B93}.job
[2010/07/28 08:26:15 | 000,000,260 | ---- | M] () -- C:\WINDOWS\Tasks\WGASetup.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/07/28 03:35:51 | 000,028,444 | ---- | M] () -- C:\aaw7boot.log
[2008/12/10 13:13:10 | 000,063,425 | ---- | M] () -- C:\ActExtLog.txt
[2010/07/23 08:49:44 | 000,000,212 | RHS- | M] () -- C:\boot.ini
[2007/02/23 13:21:09 | 000,466,074 | ---- | M] () -- C:\CIS NRS manual 2007.pdf
[2008/12/16 12:55:23 | 000,000,081 | ---- | M] () -- C:\CTX.DAT
[2010/07/28 03:35:54 | 1072,222,208 | -HS- | M] () -- C:\hiberfil.sys
[2007/01/05 09:29:09 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/15 18:10:57 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2007/01/05 09:29:09 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 09:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/07/04 10:36:12 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/07/28 03:35:53 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2007/02/05 19:07:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2007/02/20 10:18:47 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2007/02/20 10:30:40 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2007/03/22 10:48:49 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2007/04/09 17:05:44 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2007/04/10 08:59:46 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2007/04/11 08:28:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2007/04/11 16:20:36 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2007/04/13 09:21:05 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2007/04/30 09:24:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2007/05/15 17:26:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2007/05/16 17:30:13 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2007/05/17 09:34:49 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2007/05/17 09:52:21 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2008/03/14 23:22:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/04/24 08:21:35 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/04/24 08:30:25 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2007/02/05 19:07:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2007/02/20 10:18:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2007/02/20 10:30:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2007/03/22 10:48:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2007/04/09 17:05:44 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2007/04/10 08:59:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2007/04/11 08:28:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2007/04/11 16:20:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2007/04/13 09:21:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2007/04/30 09:24:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2007/05/15 17:26:37 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2007/05/16 17:30:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2007/05/17 09:34:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2007/05/17 09:52:21 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/03/14 23:22:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/03/14 23:22:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/04/24 08:21:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/04/24 08:30:25 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2010/07/27 17:29:04 | 000,050,202 | ---- | M] () -- C:\TDSSKiller.2.4.0.0_27.07.2010_17.28.04_log.txt

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2004/08/09 14:32:58 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.tmp >

< %systemroot%\system32\Spool\prtprocs\w32x86\*.dll >
[2008/07/06 13:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.scr >
[2009/07/10 13:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2010/04/26 10:53:56 | 000,093,184 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\winfaxe.dll

< %systemroot%\Tasks\*.job /lockedfiles >
[2010/07/28 03:36:14 | 000,000,316 | -HS- | M] () Unable to obtain MD5 -- C:\WINDOWS\Tasks\BWWI.job

< %systemroot%\System32\config\*.sav >
[2004/08/09 07:20:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/09 07:20:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/09 07:20:08 | 000,864,256 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\user32.dll /md5 >
[2008/04/14 01:12:08 | 000,578,560 | ---- | M] (Microsoft Corporation) MD5=B26B135FF1B9F60C9388B4A7D16F600B -- C:\WINDOWS\system32\user32.dll

< %systemroot%\system32\ws2_32.dll /md5 >
[2008/04/14 01:12:10 | 000,082,432 | ---- | M] (Microsoft Corporation) MD5=2CCC474EB85CEAA3E1FA1726580A3E5A -- C:\WINDOWS\system32\ws2_32.dll

< %systemroot%\system32\ws2help.dll /md5 >
[2008/04/14 01:12:10 | 000,019,968 | ---- | M] (Microsoft Corporation) MD5=9789E95E1D88EEB4B922BF3EA7779C28 -- C:\WINDOWS\system32\ws2help.dll

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-28 02:09:04
< End of report >



OTL Extras logfile created on: 28/07/2010 09:06:41 - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 306.00 Mb Available Physical Memory | 30.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 58.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 116.30 Gb Free Space | 78.03% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEVEHP
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\BitTorrent\bittorrent.exe" = C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent -- File not found
"C:\Program Files\Actinic v8\Catalog.exe" = C:\Program Files\Actinic v8\Catalog.exe:*:Enabled:Catalog - Internet Sales Application -- (Actinic Software Limited)
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = C:\Program Files\Microsoft ActiveSync\wcescomm.exe:*:Enabled:ActiveSync Connection Manager -- (Microsoft Corporation)
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe" = C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:*:Enabled:ActiveSync Application -- (Microsoft Corporation)
"C:\Program Files\ACT\Act for Windows\ActSage.exe" = C:\Program Files\ACT\Act for Windows\ActSage.exe:*:Enabled:ACT! by Sage -- (Sage Software, Inc.)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Google\Google Talk\googletalk.exe" = C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk -- File not found
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- File not found
"C:\Program Files\Skype\Plugin Manager\skypePM.exe" = C:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager -- File not found
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpBrowser.exe" = C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpBrowser.exe:*:Enabled:BT Business Broadband Desktop Help -- (Alcatel-Lucent)
"C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe" = C:\Program Files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe:*:Enabled:BT Business Broadband Desktop Help Notifier -- File not found
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00030409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Small Business
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{1761224D-B108-4921-BB02-5551F7B412F6}" = Google AdWords Editor
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216021FF}" = Java™ 6 Update 21
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (ACT7)
"{338F08AB-C262-42C7-B000-34DE1A475273}" = Ad-Aware Email Scanner for Outlook
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{58795EE4-FCF7-43A4-A5F6-269E69D0CD0B}" = ACT! by Sage 2010
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90170409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office FrontPage 2003
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{98AD61BF-A229-411A-8723-B5E7F72D725C}" = Opera 10.52
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{A06275F4-324B-4E85-95E6-87B2CD729401}" = Windows Defender
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A3672E1B-021F-4F50-A891-609471CCF941}" = NETGEAR Storage Central Manager Utility
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A93C4E94-1005-489D-BEAA-B873C1AA6CFC}" = HP Help and Support
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C08E4323-261D-4B2F-8F24-CDB26E2AA081}" = Iomega Home Storage Manager
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D21C9D95-DDBA-4962-899D-D1D350186555}" = WISE-FTP 5
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"Actinic Catalog v8" = Actinic v8
"Actinic Payment Service Providers v8" = Actinic Payment Service Providers Component v8
"Actinic Shared SSL Service Providers Component v8" = Actinic Shared SSL Service Providers Component V8
"ActiveTouchMeetingClient" = WebEx
"Ad-Aware" = Ad-Aware
"All ATI Software" = ATI - Software Uninstall Utility
"ATI Display Driver" = ATI Display Driver
"BT Business Broadband Desktop Help" = BT Business Broadband Desktop Help
"Crimson Editor SVN286" = Crimson Editor SVN286
"deskPDF 2.5 Professional_is1" = deskPDF 2.5 Professional Edition
"ERUNT_is1" = ERUNT 1.1j
"Foxit Reader" = Foxit Reader
"Good Keywords v3_is1" = Good Keywords v3 042209
"Google Updater" = Google Updater
"GPL Ghostscript_is1" = Docudesk GPL Ghostscript 8.15
"GSiteCrawler" = GSiteCrawler
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"InstallShield_{58795EE4-FCF7-43A4-A5F6-269E69D0CD0B}" = ACT! by Sage 2010
"MagicDisc 2.5.74" = MagicDisc 2.5.74
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"Mozilla Thunderbird (3.1.1)" = Mozilla Thunderbird (3.1.1)
"MSC" = McAfee Total Protection
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"OpenDNS Updater" = OpenDNS Updater 2.2.1
"RankTracker" = Rank Tracker
"RealPlayer 6.0" = RealPlayer
"seopowersuite" = Rank Tracker
"SmartSync Pro" = SmartSync Pro
"TUGZip_is1" = TUGZip 3.4
"WebCEO70_is1" = Web CEO 8.1
"WinASO Registry Optimizer 4.5.5_is1" = WinASO Registry Optimizer 4.5.5
"Windows CE Services" = Microsoft ActiveSync 3.8
"Windows Live OneCare safety scanner" = Windows Live OneCare safety scanner
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome
"GoToMeeting" = GoToMeeting 4.5.0.452

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 22/07/2010 15:04:11 | Computer Name = STEVEHP | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 1320 (0x528) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.2.0.723
/ 5400.1158 Object being scanned = \Device\HarddiskVolume1\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP20\A0004087.inf

by C:\Program Files\Alwil Software\Avast5\AvastSvc.exe 4(0)(0) 4(0)(0) 7200(0)(0)

7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 23/07/2010 03:37:05 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 03:40:14 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 04:06:20 | Computer Name = STEVEHP | Source = Application Error | ID = 1000
Description = Faulting application ptrvta.exe, version 6.45.0.874, faulting module
unknown, version 0.0.0.0, fault address 0x001432c8.

Error - 23/07/2010 04:06:21 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 04:09:32 | Computer Name = STEVEHP | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 2264 (0x8d8) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.2.0.723
/ 5400.1158 Object being scanned = \Device\HarddiskVolume1\WINDOWS\system32\WgaTray.exe

by \??\C:\WINDOWS\system32\winlogon.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0)

7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 23/07/2010 04:13:20 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 04:13:40 | Computer Name = STEVEHP | Source = Application Error | ID = 1000
Description = Faulting application ptrvta.exe, version 6.45.0.874, faulting module
unknown, version 0.0.0.0, fault address 0x001532c8.

Error - 23/07/2010 04:17:40 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 04:18:21 | Computer Name = STEVEHP | Source = Application Error | ID = 1000
Description = Faulting application ptrvta.exe, version 6.45.0.874, faulting module
unknown, version 0.0.0.0, fault address 0x001532c8.

[ Application Events ]
Error - 22/07/2010 15:04:11 | Computer Name = STEVEHP | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 1320 (0x528) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.2.0.723
/ 5400.1158 Object being scanned = \Device\HarddiskVolume1\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP20\A0004087.inf

by C:\Program Files\Alwil Software\Avast5\AvastSvc.exe 4(0)(0) 4(0)(0) 7200(0)(0)

7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 23/07/2010 03:37:05 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 03:40:14 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 04:06:20 | Computer Name = STEVEHP | Source = Application Error | ID = 1000
Description = Faulting application ptrvta.exe, version 6.45.0.874, faulting module
unknown, version 0.0.0.0, fault address 0x001432c8.

Error - 23/07/2010 04:06:21 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 04:09:32 | Computer Name = STEVEHP | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 2264 (0x8d8) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.2.0.723
/ 5400.1158 Object being scanned = \Device\HarddiskVolume1\WINDOWS\system32\WgaTray.exe

by \??\C:\WINDOWS\system32\winlogon.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0)

7004(0)(0) 5006(0)(0) 5004(0)(0)

Error - 23/07/2010 04:13:20 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 04:13:40 | Computer Name = STEVEHP | Source = Application Error | ID = 1000
Description = Faulting application ptrvta.exe, version 6.45.0.874, faulting module
unknown, version 0.0.0.0, fault address 0x001532c8.

Error - 23/07/2010 04:17:40 | Computer Name = STEVEHP | Source = ACT! Scheduler | ID = 0
Description = Service cannot be started. System.Exception: Unable to start scheduler
service. Missing server configuration information. at Act.Scheduler.SchedulerService.OnStart(String[]
args) at System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Error - 23/07/2010 04:18:21 | Computer Name = STEVEHP | Source = Application Error | ID = 1000
Description = Faulting application ptrvta.exe, version 6.45.0.874, faulting module
unknown, version 0.0.0.0, fault address 0x001532c8.

[ System Events ]
Error - 27/07/2010 12:21:15 | Computer Name = STEVEHP | Source = Service Control Manager | ID = 7000
Description = The QSCopyEngine service failed to start due to the following error:
%%1053

Error - 27/07/2010 12:21:15 | Computer Name = STEVEHP | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2

Error - 27/07/2010 12:21:49 | Computer Name = STEVEHP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt

Error - 27/07/2010 12:21:58 | Computer Name = STEVEHP | Source = System Error | ID = 1003
Description = Error code 100000d4, parameter1 b717a108, parameter2 000000ff, parameter3
00000001, parameter4 80546a19.

Error - 27/07/2010 12:30:23 | Computer Name = STEVEHP | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 27/07/2010 12:32:07 | Computer Name = STEVEHP | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
i8042prt ZetSFD

Error - 27/07/2010 12:32:08 | Computer Name = STEVEHP | Source = Service Control Manager | ID = 7034
Description = The Ati HotKey Poller service terminated unexpectedly. It has done
this 1 time(s).

Error - 27/07/2010 12:32:08 | Computer Name = STEVEHP | Source = Service Control Manager | ID = 7031
Description = The Lavasoft Ad-Aware Service service terminated unexpectedly. It
has done this 1 time(s). The following corrective action will be taken in 5000
milliseconds: Restart the service.

Error - 27/07/2010 12:32:08 | Computer Name = STEVEHP | Source = Service Control Manager | ID = 7034
Description = The McciCMService service terminated unexpectedly. It has done this
1 time(s).

Error - 27/07/2010 12:32:08 | Computer Name = STEVEHP | Source = Service Control Manager | ID = 7034
Description = The NVIDIA Display Driver Service service terminated unexpectedly.
It has done this 1 time(s).


< End of report >

3.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-28 15:24:59
Windows 5.1.2600 Service Pack 3
Running: z5zt5jcg.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwddypob.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF766087E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7660BFE]

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7416DC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7416DF2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7416E48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7416D9C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7416D74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7416D88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF7416DDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF7416E1E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7416E72]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7416E5E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7416E32]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AF4 7 Bytes JMP F7416E36 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B1FE6 7 Bytes JMP F7416E4C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2DF4 5 Bytes JMP F7416E62 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetSecurityObject 805C05DA 5 Bytes JMP F7416E22 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB3FA 5 Bytes JMP F7416D78 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB686 5 Bytes JMP F7416D8C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D2982 5 Bytes JMP F7416E76 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231EA 7 Bytes JMP F7416DE0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C64 7 Bytes JMP F7416DCA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E34 7 Bytes JMP F7416DF6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624BA6 5 Bytes JMP F7416DA0 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6D0B360, 0x24BB1D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[564] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FC0000
.text C:\WINDOWS\Explorer.EXE[564] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FC0FDB
.text C:\WINDOWS\Explorer.EXE[564] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FC001B
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FB0FEF
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FB0F72
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FB0F83
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FB005B
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FB0F9E
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FB0FC3
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FB0F3C
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FB0F4D
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FB0EFF
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FB0F1A
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FB0EE4
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FB004A
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FB0FDE
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FB0078
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FB002F
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FB0014
.text C:\WINDOWS\Explorer.EXE[564] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FB0F2B
.text C:\WINDOWS\Explorer.EXE[564] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\Explorer.EXE[564] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90069
.text C:\WINDOWS\Explorer.EXE[564] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\Explorer.EXE[564] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E9001B
.text C:\WINDOWS\Explorer.EXE[564] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E90058
.text C:\WINDOWS\Explorer.EXE[564] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E9000A
.text C:\WINDOWS\Explorer.EXE[564] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E90047
.text C:\WINDOWS\Explorer.EXE[564] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E90036
.text C:\WINDOWS\Explorer.EXE[564] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80069
.text C:\WINDOWS\Explorer.EXE[564] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\Explorer.EXE[564] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80033
.text C:\WINDOWS\Explorer.EXE[564] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E8000C
.text C:\WINDOWS\Explorer.EXE[564] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80044
.text C:\WINDOWS\Explorer.EXE[564] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\Explorer.EXE[564] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E60000
.text C:\WINDOWS\Explorer.EXE[564] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\Explorer.EXE[564] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E60FDE
.text C:\WINDOWS\Explorer.EXE[564] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E60FCD
.text C:\WINDOWS\Explorer.EXE[564] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E7000A
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1004] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[1004] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[1084] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\services.exe[1084] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D90FDE
.text C:\WINDOWS\system32\services.exe[1084] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D9000A
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D80040
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80F4B
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80F72
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80F83
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D80FAF
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D80082
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D80F3A
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D80EFD
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D80F0E
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D80EE2
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80F9E
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D80065
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80FCA
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80025
.text C:\WINDOWS\system32\services.exe[1084] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D80F1F
.text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E4005B
.text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40FDB
.text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F9E
.text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E4000A
.text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [04, 89] {ADD AL, 0x89}
.text C:\WINDOWS\system32\services.exe[1084] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E40FCA
.text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0027
.text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0F9C
.text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB000C
.text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0FB7
.text C:\WINDOWS\system32\services.exe[1084] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB0FD2
.text C:\WINDOWS\system32\services.exe[1084] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\system32\lsass.exe[1104] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FE5
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F5C
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0036
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0F94
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA0F24
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F35
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00AC
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F13
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA0EF8
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0F83
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA006C
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\lsass.exe[1104] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0091
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F10FDE
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F10FAB
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F1002F
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F10014
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F10FBC
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F10FEF
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F10FCD
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [11, 89]
.text C:\WINDOWS\system32\lsass.exe[1104] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F1004A
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0FB0
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0FC1
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FD2
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD000C
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0027
.text C:\WINDOWS\system32\lsass.exe[1104] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\lsass.exe[1104] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 025C0000
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 025C0022
.text C:\WINDOWS\system32\svchost.exe[1280] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 025C0011
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025B0FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025B0F64
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025B0F75
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025B0F86
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025B0F97
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025B0FC3
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025B0F35
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025B0087
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025B0EF8
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025B0F09
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025B00AC
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025B0FB2
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025B0FDE
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025B006A
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025B0025
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025B0014
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025B0F1A
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025F0FA5
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025F0F57
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025F0000
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025F0FD4
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025F0F68
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025F0FE5
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 025F0F79
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [7F, 8A] {JG 0xffffffffffffff8c}
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025F0F94
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025E0FA1
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 025E0FB2
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025E0022
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025E0000
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025E0FCD
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025E0011
.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 025D0FEF
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CC000A
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CC0025
.text C:\WINDOWS\system32\svchost.exe[1368] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CC0FEF
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CB0F9E
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CB0089
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CB0FAF
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CB006C
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CB0FD4
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CB0F5C
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CB00AE
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CB00F5
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CB00D0
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CB0F41
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CB005B
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CB0011
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CB0F83
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CB0036
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CB0FE5
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CB00BF
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D30FE5
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D3007D
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D30036
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D3001B
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D30FC0
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D3000A
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D30062
.text C:\WINDOWS\system32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D30047
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE0FAD
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE0038
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE001D
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0FC8
.text C:\WINDOWS\system32\svchost.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE000C
.text C:\WINDOWS\system32\svchost.exe[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CD0FEF
.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03CB0FEF
.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03CB0FC3
.text C:\WINDOWS\System32\svchost.exe[1480] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03CB0FD4
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03CA0000
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03CA008D
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03CA007C
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03CA005F
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03CA004E
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03CA002C
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03CA00C5
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03CA00A8
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03CA00E0
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03CA0F47
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03CA00F1
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03CA003D
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03CA0FE5
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03CA0F7D
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03CA0FCA
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03CA001B
.text C:\WINDOWS\System32\svchost.exe[1480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03CA0F62
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03C4003D
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03C4009F
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03C40022
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03C40011
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03C40084
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03C40000
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03C40073
.text C:\WINDOWS\System32\svchost.exe[1480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03C40062
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03CD003B
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!system 77C293C7 5 Bytes JMP 03CD0FA6
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03CD0FD2
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03CD0000
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03CD0FB7
.text C:\WINDOWS\System32\svchost.exe[1480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03CD0FEF
.text C:\WINDOWS\System32\svchost.exe[1480] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03CF0FEF
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 03CE0000
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03CE001B
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03CE002C
.text C:\WINDOWS\System32\svchost.exe[1480] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03CE0FDB
.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\svchost.exe[1528] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00650FD4
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00640FEF
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006400A7
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00640096
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00640FB2
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00640FC3
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0064004A
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006400CE
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00640F7C
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00640F57
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006400FA
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00640F46
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00640065
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00640FD4
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00640F8D
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0064002F
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00640014
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006400DF
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00630FCD
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00630076
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00630FDE
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00630065
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0063000A
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0063004A
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00630039
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00660FB2
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 00660047
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00660FE3
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0066002C
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 007F0FEF
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 007F0FDE
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007F0014
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007E0F7B
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007E0070
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007E005F
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007E004E
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007E0022
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007E0F34
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007E0F4F
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007E00A1
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007E0F08
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007E0EED
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007E0033
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007E0000
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007E0F6A
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007E0FB6
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007E0011
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007E0F23
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007D002F
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007D006C
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007D0FDE
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007D0FEF
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007D005B
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007D0040
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007D0FC3
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00810FB9
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!system 77C293C7 5 Bytes JMP 0081004E
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00810029
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0081000C
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00810FDE
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00810FEF
.text C:\WINDOWS\system32\svchost.exe[1684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00800000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 44C30000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 44C30FDB
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 44C30011
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 44C20FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 44C20F72
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 44C20067
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 44C20056
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 44C20F8D
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 44C20FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 44C20093
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 44C20082
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 44C200AE
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 44C20F1F
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 44C20F04
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 44C20FA8
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 44C2000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 44C20F57
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 44C2001B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 44C20FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 44C20F30
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 44C00FA3
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] msvcrt.dll!system 77C293C7 5 Bytes JMP 44C0002E
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 44C00FD2
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] msvcrt.dll!_open 77C2F566 5 Bytes JMP 44C00FE3
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 44C0001D
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 44C00000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 44C1002F
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 44C10076
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 44C1001E
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 44C10FDE
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 44C10FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 44C10FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 44C1005B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 44C1004A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1692] WS2_32.dll!socket 71AB4211 5 Bytes JMP 44BF000A
.text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00000
.text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C00FDB
.text C:\WINDOWS\system32\svchost.exe[1720] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00011
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F68
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F83
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0F94
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0051
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0FC3
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F2D
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF007F
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F01
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF009A
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF00B5
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF006E
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FD4
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1720] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F1C
.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]
.text C:\WINDOWS\system32\svchost.exe[1720] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C2005D
.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C2002E
.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C2000C
.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FE3
.text C:\WINDOWS\system32\svchost.exe[1720] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C2001D
.text C:\WINDOWS\system32\svchost.exe[1720] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FEF
.text C:\WINDOWS\system32\svchost.exe[1948] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1948] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1948] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C20F69
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C2005E
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C20F86
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C20043
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C20FA8
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C20080
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C20F44
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C200B6
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C20F1D
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C20F02
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C20F97
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C2006F
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C20014
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C20FC3
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C2009B
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C10036
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C1006C
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C10025
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C1005B
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C10000
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C10FB9
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E1, 88] {LOOPZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C10FCA
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C00FB2
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C00FC3
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C00018
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C00033
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\svchost.exe[1948] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\svchost.exe[1948] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\svchost.exe[1948] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BE002C
.text C:\WINDOWS\system32\svchost.exe[1948] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BE003D
.text C:\WINDOWS\system32\svchost.exe[1948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[2568] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[2568] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\svchost.exe[2568] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BC0F83
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BC0F94
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BC0FAF
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BC006C
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BC0051
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BC00C4
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BC009D
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BC0F3C
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BC0F57
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BC00FA
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BC0FC0
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BC0011
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BC0F72
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BC0036
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BC0FDB
.text C:\WINDOWS\system32\svchost.exe[2568] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BC00D5
.text C:\WINDOWS\system32\svchost.exe[2568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BB001B
.text C:\WINDOWS\system32\svchost.exe[2568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BB0F94
.text C:\WINDOWS\system32\svchost.exe[2568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BB0FD4
.text C:\WINDOWS\system32\svchost.exe[2568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\system32\svchost.exe[2568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BB0051
.text C:\WINDOWS\system32\svchost.exe[2568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BB000A
.text C:\WINDOWS\system32\svchost.exe[2568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BB0040
.text C:\WINDOWS\system32\svchost.exe[2568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BB0FAF
.text C:\WINDOWS\system32\svchost.exe[2568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0FA1
.text C:\WINDOWS\system32\svchost.exe[2568] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA002C
.text C:\WINDOWS\system32\svchost.exe[2568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FC6
.text C:\WINDOWS\system32\svchost.exe[2568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0FE3
.text C:\WINDOWS\system32\svchost.exe[2568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA001B
.text C:\WINDOWS\system32\svchost.exe[2568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1648] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [004076E0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[1648] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

4. The PC is working sporadically, sometimes it just turns off (no BSOD just like the power is pulled out) it also keeps locking up.

Update 29/07 - took a few times to boot, but then worked all day, although got slower and slower as the day went on, especially firefox. Would not shut down though, every time it did, it would start up again, had to take power cable out in the end.

Update 30/07 - Several times to boot up again, although I have noticed, when I get the message "data execution prevention" related to Psiservice it starts, but when I don't it seems to reboot itself shortly after the "system has recovered from a serious error" message. Still redirecting too.

Update 31/07 - Only crashed twice while starting up today, but several "windows has recovered from a serious error" messages when it did start, also firefox is incredibly slow today. CPU keeps going to 100% and fans in PC whirring from various processes.

Edited by admin, 08 August 2010 - 06:25 PM.

  • 0

Advertisements

#2
SweetTech
Posted 31 July 2010 - 05:12 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello and welcome to the forums! My name is SweetTech, it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

If you have already received help elsewhere please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post.
  • Please make sure to carefully read any instruction that I give you.
    Reading too lightly will cause you to miss important steps, which could have destructive effects.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days     failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.
____________________________________________________

I'd like to get some fresh logs from you.

OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following bolded text into the Posted Image textbox.


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.


NEXT:



The log file requested above, as well as an update on how your computer is currently running.
  • 0

#3
Steve_gts
Posted 01 August 2010 - 05:46 AM

Steve_gts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi SweetTech,

Thanks for getting back to me, no worries about the delay, I can see how many requests you are getting here. I will have a look at doing the training myself once the link is back up (and when my PC is working at a decent speed again)

PC Update - it only crashed once when starting up today, then had one "serious error" when it did start up. Firefox takes anywhere from 2 minutes upwards to start up, but the fans are not on much and CPU usage is nowhere near as high as it has been over the last few days. It still seems to be trying to redirect of a google search with firefox, but is being blocked by something I installed from a link (it flashes up with a little gremlin in a striked out circle (OpenDNS perhaps)

OTL logfile created on: 01/08/2010 12:29:48 - Run 2
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Administrator\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1,022.00 Mb Total Physical Memory | 328.00 Mb Available Physical Memory | 32.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 55.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 116.22 Gb Free Space | 77.98% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STEVEHP
Current User Name: Administrator
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
PRC - C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
PRC - C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
PRC - C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
PRC - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
PRC - C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe (McAfee, Inc.)
PRC - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
PRC - C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe (Zetera Corporation)
PRC - C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Administrator\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found
SRV - (Lavasoft Ad-Aware Service) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (Lavasoft)
SRV - (mfefire) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe (McAfee, Inc.)
SRV - (mfevtp) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee, Inc.)
SRV - (McODS) -- C:\Program Files\McAfee\VirusScan\mcods.exe (McAfee, Inc.)
SRV - (McAfee SiteAdvisor Service) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (McAfee, Inc.)
SRV - (MSK80Service) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McProxy) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNASvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McNaiAnn) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (mcmscsvc) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McMPFSvc) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe (McAfee, Inc.)
SRV - (McShield) -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe ()
SRV - (ACT! Scheduler) -- C:\Program Files\ACT\Act for Windows\Act.Scheduler.exe (Sage Software, Inc.)
SRV - (MSSQL$ACT7) SQL Server (ACT7) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (Microsoft Corporation)
SRV - (SeaPort) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (Microsoft Corporation)
SRV - (QSCopyEngine) -- C:\Program Files\Iomega\QuikProtect\QpMonitor.exe ()
SRV - (SQLWriter) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe (Microsoft Corporation)
SRV - (SQLBrowser) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (Microsoft Corporation)
SRV - (MSSQLServerADHelper) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe (Microsoft Corporation)
SRV - (PSI_SVC_2) -- C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe (Protexis Inc.)
SRV - (Z-SANService) -- C:\Program Files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe (Zetera Corporation)
SRV - (WinDefend) -- C:\Program Files\Windows Defender\MsMpEng.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (SABProcEnum) -- C:\Program Files\Internet Explorer\SABProcEnum.sys File not found
DRV - (MRENDIS5) -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS File not found
DRV - (MREMPR5) -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS File not found
DRV - (Lbd) -- C:\WINDOWS\system32\DRIVERS\Lbd.sys (Lavasoft AB)
DRV - (mfehidk) -- C:\WINDOWS\system32\drivers\mfehidk.sys (McAfee, Inc.)
DRV - (mfefirek) -- C:\WINDOWS\system32\drivers\mfefirek.sys (McAfee, Inc.)
DRV - (mfeavfk) -- C:\WINDOWS\system32\drivers\mfeavfk.sys (McAfee, Inc.)
DRV - (mfeapfk) -- C:\WINDOWS\system32\drivers\mfeapfk.sys (McAfee, Inc.)
DRV - (mfendiskmp) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mfendisk) -- C:\WINDOWS\system32\drivers\mfendisk.sys (McAfee, Inc.)
DRV - (mferkdet) -- C:\WINDOWS\system32\drivers\mferkdet.sys (McAfee, Inc.)
DRV - (mfetdi2k) -- C:\WINDOWS\system32\drivers\mfetdi2k.sys (McAfee, Inc.)
DRV - (cfwids) -- C:\WINDOWS\system32\drivers\cfwids.sys (McAfee, Inc.)
DRV - (mfebopk) -- C:\WINDOWS\system32\drivers\mfebopk.sys (McAfee, Inc.)
DRV - (SASDIFSV) -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASKUTIL) -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM) -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS ( SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (MREMP50) -- C:\Program Files\Common Files\Motive\MREMP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (MRESP50) -- C:\Program Files\Common Files\Motive\MRESP50.sys (Printing Communications Assoc., Inc. (PCAUSA))
DRV - (QsFsFltr) -- C:\WINDOWS\system32\drivers\QsFsFltr.sys (Windows ® Codename Longhorn DDK provider)
DRV - (gameenum) -- C:\WINDOWS\system32\drivers\gameenum.sys (Microsoft Corporation)
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows ® Server 2003 DDK provider)
DRV - (SndTDriverV32) -- C:\WINDOWS\system32\drivers\SndTDriverV32.sys (Windows ® 2000/XP)
DRV - (MovRVDrv32) -- C:\WINDOWS\system32\drivers\MovRVDrv32.sys (Windows ® 2000 DDK provider)
DRV - (SFSZ) -- C:\WINDOWS\system32\drivers\sfsz.sys (DataPlow, Incorporated)
DRV - (ZetBus) -- C:\WINDOWS\system32\drivers\ZetBus.sys (Zetera Corporation)
DRV - (ZetSFD) -- C:\WINDOWS\system32\DRIVERS\ZetSFD.sys (Zetera Corporation)
DRV - (ZetMPD) -- C:\WINDOWS\system32\drivers\ZetMPD.sys (Zetera Corporation)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (mcdbus) -- C:\WINDOWS\system32\drivers\mcdbus.sys (MagicISO, Inc.)
DRV - (SE27bus) Sony Ericsson Device 039 Driver driver (WDM) -- C:\WINDOWS\system32\drivers\SE27bus.sys (MCCI)
DRV - (ctprxy2k) -- C:\WINDOWS\system32\drivers\ctprxy2k.sys (Creative Technology Ltd)
DRV - (ctaud2k) Creative Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\ctaud2k.sys (Creative Technology Ltd)
DRV - (hap17v2k) -- C:\WINDOWS\system32\drivers\haP17v2k.sys (Creative Technology Ltd)
DRV - (ha10kx2k) -- C:\WINDOWS\system32\drivers\ha10kx2k.sys (Creative Technology Ltd)
DRV - (hap16v2k) -- C:\WINDOWS\system32\drivers\haP16v2k.sys (Creative Technology Ltd)
DRV - (ossrv) -- C:\WINDOWS\system32\drivers\ctoss2k.sys (Creative Technology Ltd.)
DRV - (ctsfm2k) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys (Creative Technology Ltd)
DRV - (emupia) -- C:\WINDOWS\system32\drivers\emupia2k.sys (Creative Technology Ltd)
DRV - (ctac32k) -- C:\WINDOWS\system32\drivers\ctac32k.sys (Creative Technology Ltd)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.Sys (Realtek Semiconductor Corp.)
DRV - (SE27mdm) -- C:\WINDOWS\system32\drivers\SE27mdm.sys (MCCI)
DRV - (SE27mdfl) -- C:\WINDOWS\system32\drivers\SE27mdfl.sys (MCCI)
DRV - (se27unic) Sony Ericsson Device 039 USB Ethernet Emulation SEMC39 (WDM) -- C:\WINDOWS\system32\drivers\se27unic.sys (MCCI)
DRV - (ati2mtag) -- C:\WINDOWS\system32\drivers\ati2mtag.sys (ATI Technologies Inc.)
DRV - (ctdvda2k) -- C:\WINDOWS\system32\drivers\ctdvda2k.sys (Creative Technology Ltd)
DRV - (RTL8023xp) -- C:\WINDOWS\system32\drivers\Rtnicxp.sys (Realtek Semiconductor Corporation )
DRV - (rtl8139) Realtek RTL8139(A/B/C) -- C:\WINDOWS\system32\drivers\RTL8139.sys (Realtek Semiconductor Corporation)
DRV - (iAimFP4) -- C:\WINDOWS\system32\drivers\wVchNTxx.sys (Intel® Corporation)
DRV - (iAimFP3) -- C:\WINDOWS\system32\drivers\wSiINTxx.sys (Intel® Corporation)
DRV - (iAimTV5) -- C:\WINDOWS\system32\drivers\wATV10nt.sys (Intel® Corporation)
DRV - (iAimTV4) -- C:\WINDOWS\system32\drivers\wCh7xxNT.sys (Intel® Corporation)
DRV - (iAimTV6) -- C:\WINDOWS\system32\drivers\wATV06nt.sys (Intel® Corporation)
DRV - (iAimTV3) -- C:\WINDOWS\system32\drivers\wATV04nt.sys (Intel® Corporation)
DRV - (iAimTV1) -- C:\WINDOWS\system32\drivers\wATV02NT.sys (Intel® Corporation)
DRV - (iAimTV0) -- C:\WINDOWS\system32\drivers\wATV01nt.sys (Intel® Corporation)
DRV - (iAimFP7) -- C:\WINDOWS\system32\drivers\wADV09NT.sys (Intel® Corporation)
DRV - (iAimFP5) -- C:\WINDOWS\system32\drivers\wADV07nt.sys (Intel® Corporation)
DRV - (iAimFP6) -- C:\WINDOWS\system32\drivers\wADV08NT.sys (Intel® Corporation)
DRV - (i81x) -- C:\WINDOWS\system32\drivers\i81xnt5.sys (Intel® Corporation)
DRV - (iAimFP0) -- C:\WINDOWS\system32\drivers\wADV01nt.sys (Intel® Corporation)
DRV - (iAimFP1) -- C:\WINDOWS\system32\drivers\wADV02NT.sys (Intel® Corporation)
DRV - (iAimFP2) -- C:\WINDOWS\system32\drivers\wADV05NT.sys (Intel® Corporation)
DRV - (adpu320) -- C:\WINDOWS\system32\DRIVERS\adpu320.sys (Adaptec, Inc.)
DRV - (Symmpi) -- C:\WINDOWS\system32\DRIVERS\symmpi.sys (LSI Logic)
DRV - (sym_u3) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys (LSI Logic)
DRV - (sym_hi) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys (LSI Logic)
DRV - (symc8xx) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys (LSI Logic)
DRV - (symc810) -- C:\WINDOWS\system32\DRIVERS\symc810.sys (Symbios Logic Inc.)
DRV - (ac97intc) Intel® 82801 Audio Driver Install Service (WDM) -- C:\WINDOWS\system32\drivers\ac97intc.sys (Intel Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.co...ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = http://www.google.co.uk/ig?hl=en [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.defaulturl: "http://uk.search.yah...r=ytff-sunm&p="
FF - prefs.js..browser.search.param.yahoo-fr: "moz2-ytff-sunm"
FF - prefs.js..browser.search.param.yahoo-fr-cjkt: "moz2-ytff-sunm"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.19
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.1
FF - prefs.js..extensions.enabledItems: [email protected]:0.51
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:2.0
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}:6.0.21
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..keyword.URL: "http://uk.search.yah...h?fr=mcafee&p="
FF - prefs.js..network.proxy.http_por: ""


FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/06/02 10:16:16 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2008/10/30 09:04:17 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/07/26 10:54:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.8\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/07/31 12:03:31 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 3.1.1\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/07/22 16:12:05 | 000,000,000 | ---D | M]

[2010/01/20 15:07:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2010/01/20 15:07:49 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2009/07/09 12:47:30 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\{ea278cf8-93cd-484f-b951-57360482d33a}
[2009/03/27 10:56:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions\[email protected]
[2010/07/31 12:08:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions
[2010/04/27 19:29:02 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/07/05 08:22:27 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008/07/15 19:42:59 | 000,000,000 | ---D | M] (SeoQuake) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{317B5128-0B0B-49b2-B2DB-1E7560E16C74}(2)
[2010/07/31 12:07:24 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/12/22 15:01:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{d57c9ff1-6389-48fc-b770-f78bd89b6e8a}
[2010/06/15 14:13:13 | 000,000,000 | ---D | M] (Page Speed) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}
[2008/07/15 19:42:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\amin.eft_PhProxy@gmail(2).com
[2008/07/15 19:42:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected](2).org
[2008/10/08 10:51:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected]
[2010/05/10 08:59:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected]
[2009/08/13 13:05:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected](2).jung
[2010/06/14 14:34:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected]
[2008/07/15 19:43:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\seo4firefox@seobook(2).com
[2009/08/13 13:05:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\seo4firefox@seobook(3).com
[2010/04/12 16:11:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\[email protected]
[2007/03/27 14:47:44 | 000,002,386 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\searchplugins\siteadvisor.xml
[2010/07/31 12:09:00 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/03/27 14:42:42 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/07/27 15:34:01 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2008/07/15 19:42:58 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\Proxybar@Proxy-trash
[2010/04/27 17:16:24 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/07/27 15:33:35 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/07/27 15:24:32 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2010/07/02 13:03:02 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2010/07/27 17:32:09 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20100514083546.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile) - {D5233FCD-D258-4903-89B8-FB1568E7413D} - Reg Error: Value error. File not found
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKCU..\Run: [OpenDNS Updater] C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoNetHood = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoComputersNearMe = 0
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://go.microsoft....k/?linkid=58813 (Office Genuine Advantage Validation Tool)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/...UI.cab55579.cab (MSN Games – Matchmaking)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative....026/CTSUEng.cab (Creative Software AutoUpdate)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} http://zone.msn.com/...dy.cab55579.cab (MSN Games – Buddy Invite)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} http://zone.msn.com/...at.cab55579.cab (MSN Games – Game Chat)
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} http://cdn.scan.onec...lscbase6087.cab (Windows Live Safety Center Base Module)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.micros...b?1168334057234 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} http://www.superadbl...ivex/sabspx.cab (SABScanProcesses Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn...k.cab102118.cab (MSN Games - Installer)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.micros...ntent/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_21)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} https://bis.eu.black...ls/TOImport.cab (TeamOn Import Object)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} http://zone.msn.com/...xy.cab55579.cab (MSN Games – Game Communicator)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://sageuk.webex...bex/ieatgpc.cab (GpcContainer Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative....15028/CTPID.cab (Creative Software AutoUpdate Support Package)
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} http://zone.msn.com/...on.cab64162.cab (MSN Games – Backgammon)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\mctp {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\aatp.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\HPQ1280h.BMP
O24 - Desktop BackupWallPaper: C:\WINDOWS\HPQ1280h.BMP
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O33 - MountPoints2\{5B6CD562-B451-4338-A1DB-0D7929D82601}\Shell - "" = AutoRun
O33 - MountPoints2\{5B6CD562-B451-4338-A1DB-0D7929D82601}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\Shell - "" = AutoRun
O33 - MountPoints2\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\Shell\AutoRun - "" = Auto&Play
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: HidServ - C:\WINDOWS\System32\hidserv.dll File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: MSACM.CEGSM - C:\WINDOWS\System32\mobileV.acm ()
Drivers32: msacm.iac2 - C:\WINDOWS\system32\iac25_32.ax (Intel Corporation)
Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.siren - C:\WINDOWS\System32\sirenacm.dll (Microsoft Corporation)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: msacm.vorbis - C:\WINDOWS\System32\vorbis.acm (HMS http://hp.vector.co....thors/VA012897/)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16902109354000384)

========== Files/Folders - Created Within 30 Days ==========

[2010/07/28 16:42:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\Foxit Software
[2010/07/27 20:13:19 | 000,744,448 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\helpsvc.exe
[2010/07/27 17:48:44 | 000,574,976 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/27 17:27:50 | 001,170,256 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/07/27 17:26:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\GooredFix Backups
[2010/07/27 17:25:30 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2010/07/27 17:12:01 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/07/27 17:09:38 | 000,520,192 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2010/07/27 16:43:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\OpenDNS Updater
[2010/07/27 16:43:42 | 000,000,000 | ---D | C] -- C:\Program Files\OpenDNS Updater
[2010/07/27 15:33:58 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/07/27 15:33:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/07/27 15:33:58 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/07/27 15:33:58 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/27 15:25:21 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010/07/27 15:05:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\geekstogo sys restore
[2010/07/27 12:06:00 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/07/27 12:05:58 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/07/27 12:01:51 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/07/27 12:01:27 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/07/27 11:46:36 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/07/23 17:28:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Desktop\Bell Images
[2010/07/22 16:12:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\RetroExp
[2010/07/22 13:14:21 | 000,013,824 | R--- | C] (Windows ® Codename Longhorn DDK provider) -- C:\WINDOWS\System32\drivers\QsFsFltr.sys
[2010/07/22 13:11:48 | 000,000,000 | ---D | C] -- C:\Program Files\Iomega
[2010/07/14 08:27:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Temp
[2010/07/12 12:25:41 | 000,000,000 | ---D | C] -- C:\Program Files\WinASO
[2006/08/11 15:56:28 | 000,033,792 | ---- | C] ( ) -- C:\WINDOWS\System32\a3d.dll

========== Files - Modified Within 30 Days ==========

[2010/08/01 12:27:05 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/08/01 12:19:13 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/08/01 12:16:49 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Total Protection.lnk
[2010/08/01 12:16:41 | 000,088,566 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/08/01 12:16:33 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/08/01 12:16:20 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/08/01 12:16:09 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/08/01 12:16:04 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\BWWI.job
[2010/08/01 12:16:04 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/08/01 12:15:50 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/08/01 12:15:42 | 1072,222,208 | -HS- | M] () -- C:\hiberfil.sys
[2010/07/31 22:37:22 | 011,796,480 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat
[2010/07/31 22:37:22 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\Administrator\ntuser.ini
[2010/07/31 22:37:11 | 004,844,506 | -H-- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db
[2010/07/31 17:43:25 | 000,000,438 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{A7BFBBAD-82C4-48E6-AE23-830EC8F01B93}.job
[2010/07/30 15:54:25 | 000,422,091 | ---- | M] () -- C:\Documents and Settings\Administrator\.ranktracker.properties
[2010/07/30 09:06:03 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/07/30 09:05:12 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2010/07/29 10:51:23 | 000,007,532 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\150-pint-of-guinness.jpg
[2010/07/29 10:01:46 | 000,000,742 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2010/07/28 03:03:23 | 000,553,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/07/28 03:03:23 | 000,479,486 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/07/28 03:03:23 | 000,085,016 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/07/27 17:52:33 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\z5zt5jcg.exe
[2010/07/27 17:48:45 | 000,574,976 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTL.exe
[2010/07/27 17:32:09 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2010/07/27 17:26:09 | 001,108,900 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2010/07/27 17:25:31 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\Administrator\Desktop\GooredFix.exe
[2010/07/27 17:09:40 | 000,520,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\OTM.exe
[2010/07/27 16:42:30 | 000,225,336 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\OpenDNS-Updater-2.2.1.exe
[2010/07/27 15:33:35 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/07/27 15:33:35 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/07/27 15:33:35 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/07/27 15:33:35 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/07/27 15:33:34 | 000,423,656 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/07/27 15:25:22 | 000,000,901 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk
[2010/07/27 14:51:33 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/07/27 14:50:29 | 054,835,272 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\setup_av_free.exe
[2010/07/27 12:06:02 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/27 12:01:28 | 000,000,611 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/07/27 12:01:28 | 000,000,592 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/07/27 11:46:38 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\Desktop\TFC.exe
[2010/07/27 09:43:57 | 054,835,272 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\setup_av_free.exe
[2010/07/26 16:34:07 | 000,202,723 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Horizon Pump Clip.jpg
[2010/07/26 14:56:31 | 001,942,236 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Great Bustard.jpg
[2010/07/26 14:56:26 | 001,928,595 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Spire Ale.jpg
[2010/07/26 14:50:26 | 000,025,508 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\stonehenge-pigswill.jpg
[2010/07/26 14:49:41 | 000,031,040 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\6x-pump-clip.jpg
[2010/07/23 12:07:56 | 000,002,516 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
[2010/07/22 16:11:12 | 001,170,256 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Administrator\Desktop\TDSSKiller.exe
[2010/07/22 15:50:02 | 000,176,637 | ---- | M] () -- C:\Documents and Settings\Administrator\My Documents\Sales site stuff.zip
[2010/07/20 16:00:12 | 000,442,125 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\afiliate.pdf
[2010/07/19 13:08:20 | 000,000,760 | ---- | M] () -- C:\WINDOWS\cedt.INI
[2010/07/16 14:15:44 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Office FrontPage 2003 (2).lnk
[2010/07/16 12:37:07 | 000,053,008 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\template receipt 100716.pdf
[2010/07/16 10:50:40 | 000,045,564 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\PC World HD.pdf
[2010/07/15 12:49:38 | 001,743,360 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\The Bell Images.doc
[2010/07/12 12:45:00 | 011,796,480 | ---- | M] () -- C:\Documents and Settings\Administrator\ntuser.dat.bak
[2010/07/12 12:43:03 | 000,000,058 | ---- | M] () -- C:\WINDOWS\RegDefrag.ini
[2010/07/12 12:25:47 | 000,000,833 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\WinASO Registry Optimizer.lnk
[2010/07/03 11:25:22 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat

========== Files Created - No Company Name ==========

[2010/07/29 10:51:23 | 000,007,532 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\150-pint-of-guinness.jpg
[2010/07/28 10:20:01 | 1072,222,208 | -HS- | C] () -- C:\hiberfil.sys
[2010/07/27 17:52:31 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\z5zt5jcg.exe
[2010/07/27 17:26:01 | 001,108,900 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\tdsskiller.zip
[2010/07/27 16:42:28 | 000,225,336 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\OpenDNS-Updater-2.2.1.exe
[2010/07/27 15:25:22 | 000,000,901 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxit Reader.lnk
[2010/07/27 14:41:33 | 054,835,272 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\setup_av_free.exe
[2010/07/27 12:06:02 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/07/27 12:01:28 | 000,000,611 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\NTREGOPT.lnk
[2010/07/27 12:01:28 | 000,000,592 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\ERUNT.lnk
[2010/07/27 11:40:00 | 000,000,472 | ---- | C] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/07/27 11:34:32 | 000,000,868 | ---- | C] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/07/27 09:42:34 | 054,835,272 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\setup_av_free.exe
[2010/07/26 16:34:07 | 000,202,723 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Horizon Pump Clip.jpg
[2010/07/26 14:56:30 | 001,942,236 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Great Bustard.jpg
[2010/07/26 14:56:25 | 001,928,595 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\Spire Ale.jpg
[2010/07/26 14:50:50 | 000,025,508 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\stonehenge-pigswill.jpg
[2010/07/26 14:49:59 | 000,031,040 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\6x-pump-clip.jpg
[2010/07/22 15:50:02 | 000,176,637 | ---- | C] () -- C:\Documents and Settings\Administrator\My Documents\Sales site stuff.zip
[2010/07/20 16:00:03 | 000,442,125 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\afiliate.pdf
[2010/07/16 12:37:04 | 000,053,008 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\template receipt 100716.pdf
[2010/07/16 10:50:41 | 000,045,564 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\PC World HD.pdf
[2010/07/15 12:49:38 | 001,743,360 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\The Bell Images.doc
[2010/07/12 12:43:47 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Administrator\ntuser.dat.new.LOG
[2010/07/12 12:43:03 | 000,000,058 | ---- | C] () -- C:\WINDOWS\RegDefrag.ini
[2010/07/12 12:25:47 | 000,000,833 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\WinASO Registry Optimizer.lnk
[2010/04/28 15:37:44 | 000,000,760 | ---- | C] () -- C:\WINDOWS\cedt.INI
[2010/04/26 10:53:56 | 000,093,184 | RHS- | C] () -- C:\WINDOWS\System32\winfaxe.dll
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.dll
[2008/08/13 18:58:59 | 000,163,927 | ---- | C] () -- C:\WINDOWS\System32\ZSANCoInst.dll
[2007/10/08 12:50:57 | 000,156,160 | ---- | C] () -- C:\WINDOWS\System32\unrar3.dll
[2007/10/08 12:50:57 | 000,075,264 | ---- | C] () -- C:\WINDOWS\System32\unacev2.dll
[2007/06/05 17:55:05 | 000,000,243 | ---- | C] () -- C:\WINDOWS\ActiveAct.INI
[2007/05/16 16:44:01 | 000,018,764 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2007/02/23 12:09:49 | 000,051,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2007/01/11 14:16:02 | 000,086,446 | ---- | C] () -- C:\WINDOWS\System32\instwdm.ini
[2007/01/11 14:16:02 | 000,003,072 | ---- | C] () -- C:\WINDOWS\CTXFIRES.DLL
[2007/01/11 14:16:02 | 000,000,191 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2007/01/08 13:40:00 | 000,000,742 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/10/22 13:22:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 13:22:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 13:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 13:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 13:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 13:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/22 13:22:00 | 000,212,992 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/10/09 13:39:28 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/10/09 13:35:29 | 000,000,059 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/10/09 13:33:42 | 000,143,360 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2006/10/03 22:33:54 | 000,462,848 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2006/08/11 15:57:18 | 000,037,888 | ---- | C] () -- C:\WINDOWS\System32\CTBURST.DLL
[2006/05/23 13:40:34 | 000,000,269 | ---- | C] () -- C:\WINDOWS\System32\KILL.INI
[2006/02/24 16:54:42 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\deskMenu2.dll
[2005/06/16 19:17:16 | 000,071,680 | ---- | C] () -- C:\WINDOWS\System32\CTMMACTL.DLL
[2003/09/17 21:00:55 | 000,266,327 | ---- | C] () -- C:\WINDOWS\System32\ADErrorHandling.dll
[2002/05/08 10:12:22 | 000,000,805 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini

========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/08/01 12:15:41 | 000,042,108 | ---- | M] () -- C:\aaw7boot.log
[2008/12/10 13:13:10 | 000,063,425 | ---- | M] () -- C:\ActExtLog.txt
[2010/07/30 09:05:12 | 000,000,211 | RHS- | M] () -- C:\boot.ini
[2007/02/23 13:21:09 | 000,466,074 | ---- | M] () -- C:\CIS NRS manual 2007.pdf
[2008/12/16 12:55:23 | 000,000,081 | ---- | M] () -- C:\CTX.DAT
[2010/08/01 12:15:42 | 1072,222,208 | -HS- | M] () -- C:\hiberfil.sys
[2007/01/05 09:29:09 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/06/15 18:10:57 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2007/01/05 09:29:09 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 09:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/07/04 10:36:12 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2010/08/01 12:15:41 | 805,306,368 | -HS- | M] () -- C:\pagefile.sys
[2007/02/05 19:07:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata00.sqm
[2007/02/20 10:18:47 | 000,000,268 | -H-- | M] () -- C:\sqmdata01.sqm
[2007/02/20 10:30:40 | 000,000,268 | -H-- | M] () -- C:\sqmdata02.sqm
[2007/03/22 10:48:49 | 000,000,268 | -H-- | M] () -- C:\sqmdata03.sqm
[2007/04/09 17:05:44 | 000,000,268 | -H-- | M] () -- C:\sqmdata04.sqm
[2007/04/10 08:59:46 | 000,000,268 | -H-- | M] () -- C:\sqmdata05.sqm
[2007/04/11 08:28:54 | 000,000,268 | -H-- | M] () -- C:\sqmdata06.sqm
[2007/04/11 16:20:36 | 000,000,268 | -H-- | M] () -- C:\sqmdata07.sqm
[2007/04/13 09:21:05 | 000,000,268 | -H-- | M] () -- C:\sqmdata08.sqm
[2007/04/30 09:24:48 | 000,000,268 | -H-- | M] () -- C:\sqmdata09.sqm
[2007/05/15 17:26:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata10.sqm
[2007/05/16 17:30:13 | 000,000,268 | -H-- | M] () -- C:\sqmdata11.sqm
[2007/05/17 09:34:49 | 000,000,268 | -H-- | M] () -- C:\sqmdata12.sqm
[2007/05/17 09:52:21 | 000,000,268 | -H-- | M] () -- C:\sqmdata13.sqm
[2008/03/14 23:22:37 | 000,000,268 | -H-- | M] () -- C:\sqmdata14.sqm
[2009/04/24 08:21:35 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009/04/24 08:30:25 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2007/02/05 19:07:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2007/02/20 10:18:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2007/02/20 10:30:40 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2007/03/22 10:48:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2007/04/09 17:05:44 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2007/04/10 08:59:46 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2007/04/11 08:28:54 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2007/04/11 16:20:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2007/04/13 09:21:05 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2007/04/30 09:24:48 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2007/05/15 17:26:37 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2007/05/16 17:30:13 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2007/05/17 09:34:49 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2007/05/17 09:52:21 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2008/03/14 23:22:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2008/03/14 23:22:36 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009/04/24 08:21:35 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009/04/24 08:30:25 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2010/07/27 17:29:04 | 000,050,202 | ---- | M] () -- C:\TDSSKiller.2.4.0.0_27.07.2010_17.28.04_log.txt

< %systemroot%\system32\*.wt >

< %systemroot%\system32\*.ruy >

< %systemroot%\Fonts\*.com >
[2006/04/18 15:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 14:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 15:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 14:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2004/08/09 14:32:58 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 13:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2008/07/06 11:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2009/07/10 13:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll
[2010/04/26 10:53:56 | 000,093,184 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\winfaxe.dll

< %systemroot%\Tasks\*.job /lockedfiles >
[2010/08/01 12:16:04 | 000,000,316 | -HS- | M] () Unable to obtain MD5 -- C:\WINDOWS\Tasks\BWWI.job

< %systemroot%\System32\config\*.sav >
[2004/08/09 07:20:08 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2004/08/09 07:20:08 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2004/08/09 07:20:08 | 000,864,256 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2010-07-30 08:17:46
< End of report >

Edited by Steve_gts, 01 August 2010 - 05:53 AM.

  • 0

#4
SweetTech
Posted 01 August 2010 - 07:48 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,


OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox. Do not include the word "Code"

    :Services
:OTL
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile) - {D5233FCD-D258-4903-89B8-FB1568E7413D} - Reg Error: Value error. File not found
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macr...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O33 - MountPoints2\{5B6CD562-B451-4338-A1DB-0D7929D82601}\Shell - "" = AutoRun
O33 - MountPoints2\{5B6CD562-B451-4338-A1DB-0D7929D82601}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\Shell - "" = AutoRun
O33 - MountPoints2\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\Shell\AutoRun - "" = Auto&Play
[2010/08/01 12:16:04 | 000,000,316 | -HS- | M] () -- C:\WINDOWS\tasks\BWWI.job
[2010/04/26 10:53:56 | 000,093,184 | RHS- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\winfaxe.dll


:Reg

:Files

:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
[Reboot]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.


NEXT:



Running ComboFix
Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the ComboFix log in your next reply as well as describe how your computer is running now
  • 0

#5
Steve_gts
Posted 01 August 2010 - 08:57 AM

Steve_gts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi,

OTL ran OK and I have attached the report below. I had to reboot and it took 2 attempts to get the PC started, the second time it "recovered from a serious error" and was OK.

Combofix would not download, I got a message saying "could not be saved an unknown error occurred try saving to a different location" I didn't as you specified the desktop. Then McAfee said trojan was removed Artemis! AF74912D4F3C. I then tried downloading from the second link and McAfee warned it was adware and prevented the download. When I tried clicking the links again I just keep getting "page not found firefox cant find the file" message.

On the plus side, a quick check on Firefox and the redirecting seems to have stopped.

All processes killed
========== SERVICES/DRIVERS ==========
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5233FCD-D258-4903-89B8-FB1568E7413D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D5233FCD-D258-4903-89B8-FB1568E7413D}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ deleted successfully.
Starting removal of ActiveX control {166B1BCA-3F9C-11CF-8075-444553540000}
C:\WINDOWS\Downloaded Program Files\setup.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{166B1BCA-3F9C-11CF-8075-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{166B1BCA-3F9C-11CF-8075-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{166B1BCA-3F9C-11CF-8075-444553540000}\ not found.
Starting removal of ActiveX control {D27CDB6E-AE6D-11CF-96B8-444553540000}
C:\WINDOWS\Downloaded Program Files\swflash.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
Registry error reading value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\DownloadInformation\\INF .
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5B6CD562-B451-4338-A1DB-0D7929D82601}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B6CD562-B451-4338-A1DB-0D7929D82601}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5B6CD562-B451-4338-A1DB-0D7929D82601}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B6CD562-B451-4338-A1DB-0D7929D82601}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A9B7B29B-3FEB-4568-B2B7-47F913E81889}\ not found.
C:\WINDOWS\tasks\BWWI.job moved successfully.
C:\WINDOWS\system32\winfaxe.dll moved successfully.
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
Restore point Set: OTL Restore Point (0)

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 6641380 bytes
->Temporary Internet Files folder emptied: 6149485 bytes
->Java cache emptied: 5428 bytes
->FireFox cache emptied: 81727195 bytes
->Google Chrome cache emptied: 0 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 605 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 13532 bytes
->Temporary Internet Files folder emptied: 756518 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 943 bytes

User: Steve
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 15361252 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 15243390 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 34039490 bytes

Total Files Cleaned = 153.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default User
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

User: Steve

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08012010_153001

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
  • 0

#6
SweetTech
Posted 01 August 2010 - 09:00 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
I need for you to disable McAfee before downloading ComboFix to your computer.
  • 0

#7
Steve_gts
Posted 01 August 2010 - 09:19 AM

Steve_gts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Have disabled McAfee and Adaware, but whenever I click the links in your post above I get the following error:

File not found

Firefox can't find the file at http://download.blee...s/ComboFix.exe.

* Check the file name for capitalization or other typing errors.

* Check to see if the file was moved, renamed or deleted.
  • 0

#8
SweetTech
Posted 01 August 2010 - 09:26 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Let me check on something.
  • 0

#9
SweetTech
Posted 01 August 2010 - 09:28 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Can you please try using this link here
  • 0

#10
Steve_gts
Posted 01 August 2010 - 09:50 AM

Steve_gts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
No, I'm getting the same problem with that one too
  • 0

Advertisements

#11
SweetTech
Posted 01 August 2010 - 10:05 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Can you try downloading it in an alternative browser? If not/that still doesn't work, then please try downloading it in Safe Mode w/ Network and see if you have better luck their.
  • 0

#12
Steve_gts
Posted 01 August 2010 - 10:38 AM

Steve_gts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Success! I used Chrome instead and it worked fine. The PC seems better, no redirects and firefox opened inside a minute for the first time in weeks. I'll reboot it and see how that goes and update asap.

ComboFix 10-07-31.04 - Administrator 01/08/2010 17:18:23.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.343 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Administrator\g2mdlhlpx.exe
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
c:\windows\system32\fsc.txt
c:\windows\system32\ide.txt
c:\windows\system32\klgd.bmp
c:\windows\system32\lrg.txt
c:\windows\system32\qks.txt

.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-08-01 14:30 . 2010-08-01 14:30 -------- d-----w- C:\_OTL
2010-07-28 15:42 . 2010-07-28 15:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Foxit Software
2010-07-27 19:13 . 2010-06-14 14:31 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-27 16:12 . 2010-07-27 16:12 -------- d-----w- C:\_OTM
2010-07-27 15:43 . 2010-07-27 15:43 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenDNS Updater
2010-07-27 15:43 . 2010-07-27 15:43 -------- d-----w- c:\program files\OpenDNS Updater
2010-07-27 14:25 . 2010-07-27 14:25 -------- d-----w- c:\program files\Foxit Software
2010-07-27 11:06 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-27 11:05 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-27 11:01 . 2010-07-27 11:01 -------- d-----w- c:\program files\ERUNT
2010-07-22 15:12 . 2010-07-22 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\RetroExp
2010-07-22 12:14 . 2009-02-25 10:34 13824 ----a-r- c:\windows\system32\drivers\QsFsFltr.sys
2010-07-22 12:11 . 2010-07-22 12:14 -------- d-----w- c:\program files\Iomega
2010-07-14 07:27 . 2010-07-14 07:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-07-12 11:25 . 2010-07-12 11:25 -------- d-----w- c:\program files\WinASO
2010-07-05 07:22 . 2010-07-01 12:52 1496064 ------w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-07-05 07:22 . 2010-07-01 12:51 43008 ------w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-07-05 07:22 . 2010-07-01 12:51 338944 ------w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-07-05 07:22 . 2010-07-01 12:51 346112 ------w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-01 15:39 . 2008-07-04 11:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-07-31 11:03 . 2010-06-07 13:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-29 08:16 . 2007-07-11 14:13 -------- d-----w- c:\program files\Actinic v8
2010-07-27 16:29 . 2004-08-04 08:00 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-07-27 14:33 . 2010-06-15 12:09 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-27 14:22 . 2006-10-09 12:31 -------- d-----w- c:\program files\Common Files\Java
2010-07-27 14:19 . 2006-10-09 12:33 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-27 13:51 . 2010-06-28 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-07-27 11:06 . 2010-03-10 16:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-27 09:24 . 2010-03-10 20:48 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-27 09:23 . 2010-03-10 20:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-27 09:19 . 2006-10-09 12:34 -------- d-----w- c:\program files\Google
2010-07-26 10:13 . 2010-01-20 15:15 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-07-23 11:07 . 2008-03-11 12:46 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-07-23 11:07 . 2008-03-11 12:46 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2010-07-22 15:26 . 2007-01-11 13:16 -------- d-----w- c:\program files\Creative
2010-07-03 10:25 . 2010-06-18 08:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-28 16:49 . 2010-06-28 16:49 -------- d-----w- c:\program files\Alwil Software
2010-06-24 19:39 . 2008-11-26 12:15 -------- d-----w- c:\program files\QuickTime
2010-06-24 18:43 . 2010-06-17 14:04 112 ------w- c:\documents and settings\All Users\Application Data\NOD8JYA.dat
2010-06-24 16:23 . 2007-05-16 15:43 -------- d-----w- c:\program files\Docudesk
2010-06-23 14:26 . 2010-06-23 14:26 501936 ------w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1D7.tmp.exe
2010-06-15 16:42 . 2010-06-15 16:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\IBP
2010-06-15 12:11 . 2010-06-15 12:11 503808 ------w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62014bbf-n\msvcp71.dll
2010-06-15 12:11 . 2010-06-15 12:11 12800 ------w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-572843a9-n\decora-d3d.dll
2010-06-15 12:11 . 2010-06-15 12:11 499712 ------w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62014bbf-n\jmc.dll
2010-06-15 12:11 . 2010-06-15 12:11 61440 ------w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-572843a9-n\decora-sse.dll
2010-06-15 12:11 . 2010-06-15 12:11 348160 ------w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-62014bbf-n\msvcr71.dll
2010-06-15 12:08 . 2006-10-09 12:31 -------- d-----w- c:\program files\Java
2010-06-15 10:07 . 2010-06-15 10:07 4096 ------w- c:\documents and settings\Administrator\Application Data\C8D1D49FF8E60DCC0ED4D06536BF3598\setupupdater0000.exe
2010-06-15 10:07 . 2010-06-15 10:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\C8D1D49FF8E60DCC0ED4D06536BF3598
2010-06-14 14:31 . 2004-08-04 08:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-12 07:49 . 2010-04-28 07:49 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-11 09:39 . 2010-06-11 09:30 -------- d-----w- c:\program files\Windows Live Safety Center
2010-06-07 13:27 . 2010-06-07 13:27 86016 ------w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-06-07 08:12 . 2009-11-15 14:09 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-02 09:28 . 2010-06-15 13:13 865792 ------w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
2010-05-21 13:14 . 2009-10-05 08:06 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-06 10:41 . 2004-08-04 08:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-04-27 16:16 . 2010-04-28 11:32 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Compaq\SetRefresh\SetRefresh .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask                 .exe
c:\windows\system32\CTXFIHLP .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OpenDNS Updater"="c:\program files\OpenDNS Updater\OpenDNSUpdater.exe" [2010-06-16 839680]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-06-24 1193848]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act! Preloader]
2009-08-24 20:20 331776 ----a-w- c:\program files\ACT\Act for Windows\ActSage.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Act.Outlook.Service]
2009-08-24 20:09 28672 ----a-w- c:\program files\ACT\Act for Windows\Act.Outlook.Service.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-13 19:21 133104 -----tw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-02-18 16:40 2012912 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2006-11-03 18:20 866584 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Actinic v8\\Catalog.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\ACT\\Act for Windows\\ActSage.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\BT Business Broadband Desktop Help\\btbb\\BTHelpBrowser.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [28/04/2010 08:49 64288]
R0 ZetSFD;ZetSFD;c:\windows\system32\drivers\ZetSFD.sys [13/08/2008 18:59 12800]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [26/04/2010 09:16 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 66632]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [05/09/2008 07:54 93320]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [26/04/2010 09:16 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [26/04/2010 09:16 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [26/04/2010 09:16 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [26/04/2010 09:16 141792]
R2 MSSQL$ACT7;SQL Server (ACT7);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [27/05/2009 03:27 29262680]
R2 SFSZ;DataPlow SFS for Zetera Storage Devices;c:\windows\system32\drivers\sfsz.sys [13/08/2008 18:59 345984]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]
R2 Z-SANService;Z-SAN Service;c:\program files\NETGEAR\NETGEAR Storage Central Manager Utility\Z-SANService.exe [13/08/2008 18:59 376891]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [26/04/2010 09:16 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [26/04/2010 09:16 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [26/04/2010 09:16 88480]
R3 ZetBus;Zetera Virtual Bus;c:\windows\system32\drivers\ZetBus.sys [13/08/2008 18:59 15488]
S2 ACT! Scheduler;ACT! Scheduler;c:\program files\ACT\Act for Windows\Act.Scheduler.exe [24/08/2009 21:22 81920]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [05/02/2010 11:35 135664]
S2 QSCopyEngine;QSCopyEngine;c:\program files\Iomega\QuikProtect\QpMonitor.exe [22/04/2009 15:09 122880]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [26/04/2010 09:16 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [26/04/2010 09:16 83496]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [19/10/2007 21:34 2688]
S3 QsFsFltr;QsFsFltr;c:\windows\system32\drivers\QsFsFltr.sys [22/07/2010 13:14 13824]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]
S3 ZetMPD;ZetMPD;c:\windows\system32\drivers\ZetMPD.sys [13/08/2008 18:59 5120]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6FD3A736-DA2E-48D6-A174-629278E32478}]
gmoj.dll [N/A]
.
Contents of the 'Scheduled Tasks' folder

2010-08-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 07:49]

2010-08-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-14 10:15]

2010-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 10:34]

2010-08-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2010-07-31 c:\windows\Tasks\User_Feed_Synchronization-{A7BFBBAD-82C4-48E6-AE23-830EC8F01B93}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]

2010-08-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-08 21:18]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.co.uk
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
Trusted Zone: mcafee.com
TCP: {030617CF-0E25-43FD-A95C-F95087CC414C} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\
FF - prefs.js: browser.search.defaulturl - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\4ps1p0hg.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 17:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,df,36,98,88,c7,ec,43,ad,ea,fc,\
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,df,36,98,88,c7,ec,43,ad,ea,fc,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3a,df,36,98,88,c7,ec,43,ad,ea,fc,\

[HKEY_USERS\S-1-5-21-3664888350-2079881525-3229180341-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0e,4e,1b,2d,c9,8f,d6,40,a4,2b,bd,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0e,4e,1b,2d,c9,8f,d6,40,a4,2b,bd,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-01 17:30:29
ComboFix-quarantined-files.txt 2010-08-01 16:30

Pre-Run: 124,668,706,816 bytes free
Post-Run: 124,625,940,480 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - B5781EC9B8EA76FA3A6382D24F7FDC0B
  • 0

#13
SweetTech
Posted 01 August 2010 - 10:46 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello,

ComboFix Script
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

KillAll::

File::
c:\documents and settings\All Users\Application Data\NOD8JYA.dat
c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtb1D7.tmp.exe
c:\documents and settings\Administrator\Application Data\C8D1D49FF8E60DCC0ED4D06536BF3598\setupupdater0000.exe

Folder::
c:\documents and settings\Administrator\Application Data\C8D1D49FF8E60DCC0ED4D06536BF3598

RenV::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Compaq\SetRefresh\SetRefresh .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask                 .exe
c:\windows\system32\CTXFIHLP .exe
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6FD3A736-DA2E-48D6-A174-629278E32478}]

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. If ComboFix prompts you to update to the newest version, please allow it to do so. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



NEXT:



Malwarebytes' Anti-Malware

I see that you have Malwarebytes' Anti-Malware installed on your computer could you please do a scan using these settings:

  • Open Malwarebytes' Anti-Malware
  • Select the Update tab
  • Click Check for Updates
  • After the update have been completed, Select the Scanner tab.
  • Select Perform quick scan, then click on Scan
  • Leave the default options as it is and click on Start Scan
  • When done, you will be prompted. Click OK, then click on Show Results
  • Checked (ticked) all items and click on Remove Selected
  • After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest
Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT:



ESET Online Scanner
I'd like us to scan your machine with ESET Online Scan

Note: It is recommended to disable on-board anti-virus program and anti-spyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your anti-virus along with your anti-spyware programs.


  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Make sure that the option "Remove found threats" is Unchecked
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin
    scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as
    ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NEXT:



Security Check
Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



NEXT:



OTL Custom Scan

We need to run an OTL Custom Scan
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following bolded text into the Posted Image textbox.


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

  • Push Posted Image
  • A report will open. Copy and Paste that report in your next reply.





Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. The log that is produced after running the ComboFix script.
3. The log that is produced after running the MalwareBytes' Anti-Malware scan.
4. The log that is produced after running the ESET Online Virus Scanner.
5. The log that is produced after running the SecurityCheck scan.
6. The log that is produced after running the OTL scan.
7. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.

Cheers,
SweetTech.
  • 0

#14
Steve_gts
Posted 01 August 2010 - 10:55 AM

Steve_gts

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Just a quick update on PC performance - it rebooted itself 3 or 4 times this time, then got the "serious error" message on the 4th or 5th attempt and has stayed on since. FF very slow to open again. Will now go through the instructions above.

Thanks
  • 0

#15
SweetTech
Posted 01 August 2010 - 11:07 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Okay.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP