Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

SUSP_IRP_MJ_CREATE

Started by krhaller , May 14 2011 11:35 AM

This topic is locked

#1
krhaller

Posted 14 May 2011 - 11:35 AM

Member

Member
29 posts

SUSP_IRP_MJ_CREATE came up on a mcafee scan. After a google search, I ended up here (http://www.geekstogo...-irp-mj-create/). Based on on a read through, I've run a Hijack This scan and pasted the logfile results below. Can you please help? Thanks.

-Karl

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:29:06 PM, on 5/14/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TPHDEXLG.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
C:\WINDOWS\vsnp2uvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\Zoom\TpScrex.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\khaller\My Documents\Program Files (KRH)\Anti-Malware (Geeks To Go)\HJT\HijackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://retailbrandalliance.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://retailbrandalliance.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exe
O4 - HKLM\..\Run: [TpShocks] TpShocks.exe
O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor
O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [KMsAsKYhhcwX] C:\Documents and Settings\All Users\Application Data\KMsAsKYhhcwX.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.marketsight.com
O15 - Trusted Zone: http://*.retailbrandalliance.com
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://harrisongrou...ent/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NY.retailbrandalliance.ad
O17 - HKLM\Software\..\Telephony: DomainName = NY.retailbrandalliance.ad
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEF41D6B-BFB1-4BC3-B142-9AA7BBC560C7}: Domain = enfield
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEF41D6B-BFB1-4BC3-B142-9AA7BBC560C7}: NameServer = 172.17.100.68
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NY.retailbrandalliance.ad
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = enfield,NY.retailbrandalliance.ad,retailbrandalliance.ad
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = NY.retailbrandalliance.ad
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = enfield,NY.retailbrandalliance.ad,retailbrandalliance.ad
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Atheros Configuration Service (acs) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Engine Service (McAfeeEngineService) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\WINDOWS\system32\mfevtps.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12368 bytes

#2
krhaller

Posted 14 May 2011 - 11:54 AM

Member

Topic Starter
Member
29 posts

Sorry. I re-read the initial malware instructions and ran OTL instead of Highjack This. Here's the log.

OTL logfile created on: 5/14/2011 1:46:59 PM - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\khaller\My Documents\Program Files (KRH)\Anti-Malware (Geeks To Go)\OTL
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 46.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 11.67 Gb Free Space | 7.83% Space Free | Partition Type: NTFS
Drive I: | 60.00 Gb Total Space | 32.05 Gb Free Space | 53.42% Space Free | Partition Type: NTFS
Drive J: | 122.07 Gb Total Space | 14.41 Gb Free Space | 11.81% Space Free | Partition Type: NTFS
Drive K: | 1093.49 Gb Total Space | 111.22 Gb Free Space | 10.17% Space Free | Partition Type: NTFS
Drive L: | 125.00 Gb Total Space | 17.25 Gb Free Space | 13.80% Space Free | Partition Type: NTFS
Drive M: | 60.00 Gb Total Space | 2.22 Gb Free Space | 3.69% Space Free | Partition Type: NTFS
Drive N: | 24.41 Gb Total Space | 2.40 Gb Free Space | 9.83% Space Free | Partition Type: NTFS
Drive P: | 50.00 Gb Total Space | 3.05 Gb Free Space | 6.11% Space Free | Partition Type: NTFS
Drive R: | 60.00 Gb Total Space | 2.22 Gb Free Space | 3.69% Space Free | Partition Type: NTFS
Drive S: | 24.41 Gb Total Space | 2.40 Gb Free Space | 9.83% Space Free | Partition Type: NTFS
Drive T: | 24.41 Gb Total Space | 2.40 Gb Free Space | 9.83% Space Free | Partition Type: NTFS
Drive V: | 1093.49 Gb Total Space | 111.22 Gb Free Space | 10.17% Space Free | Partition Type: NTFS
Drive W: | 1093.49 Gb Total Space | 111.22 Gb Free Space | 10.17% Space Free | Partition Type: NTFS

Computer Name: KHALLERXP1-346 | User Name: khaller | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/14 13:37:09 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\khaller\My Documents\Program Files (KRH)\Anti-Malware (Geeks To Go)\OTL\OTL.exe
PRC - [2011/04/29 20:39:33 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/04/21 19:00:20 | 000,132,392 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2009/04/29 20:07:00 | 000,144,888 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2009/04/29 20:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/04/29 20:07:00 | 000,070,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2009/04/29 20:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2009/04/29 20:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/04/29 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2009/01/16 16:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/01/16 16:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/01/16 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/01/16 16:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2007/10/26 14:28:10 | 001,544,992 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
PRC - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2007/04/06 10:25:56 | 000,364,628 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2007/03/09 15:49:42 | 000,066,176 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2007/03/08 14:16:48 | 000,073,776 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2007/02/27 18:43:30 | 000,561,213 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
PRC - [2007/02/27 18:35:04 | 000,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
PRC - [2006/12/28 20:48:10 | 000,569,344 | ---- | M] (Sonix) -- C:\WINDOWS\vsnp2uvc.exe
PRC - [2006/09/06 17:39:10 | 000,091,688 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2006/05/12 16:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe
PRC - [2006/02/02 05:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2004/08/04 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/05/14 13:37:09 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\khaller\My Documents\Program Files (KRH)\Anti-Malware (Geeks To Go)\OTL\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2009/05/24 22:41:34 | 000,304,128 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll
MOD - [2008/05/13 13:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
MOD - [2007/02/27 18:48:08 | 000,077,824 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2009/09/18 04:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
SRV - [2009/04/29 20:07:00 | 000,144,888 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2009/04/29 20:07:00 | 000,070,216 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/04/29 20:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2009/04/29 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2009/01/16 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/04/06 10:25:56 | 000,364,628 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (acs)
SRV - [2007/02/27 18:35:04 | 000,266,295 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2006/05/12 16:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)

========== Driver Services (SafeList) ==========

DRV - [2010/05/10 14:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 14:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/09/18 04:00:00 | 000,020,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2009/04/29 20:07:00 | 000,342,128 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/04/29 20:07:00 | 000,091,640 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/04/29 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/04/29 20:07:00 | 000,065,224 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/04/29 20:07:00 | 000,063,696 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/04/29 20:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/10/20 20:08:06 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
DRV - [2007/11/20 17:39:56 | 000,012,288 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/10/26 14:27:00 | 000,306,300 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/09/28 17:29:00 | 000,103,472 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2007/09/28 17:28:00 | 000,019,504 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2007/09/21 02:19:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2007/05/14 13:21:16 | 000,057,216 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/03/27 06:27:02 | 000,543,712 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2007/02/27 19:02:00 | 000,868,042 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/02/16 16:09:06 | 009,598,080 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
DRV - [2007/01/31 13:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/24 19:33:00 | 000,530,861 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2007/01/24 19:27:00 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/12/22 12:56:00 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/22 12:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/22 12:55:00 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/10/15 16:01:00 | 000,149,123 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2006/10/10 00:00:00 | 000,030,459 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/02/02 05:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/02/02 05:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/02/02 05:20:00 | 000,086,652 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/02/02 05:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/02/02 05:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/02/02 05:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/02/02 05:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/11/18 12:02:50 | 000,005,660 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/11/18 12:02:10 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/01/26 10:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://retailbrandalliance.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://retailbrandalliance.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..keyword.URL: "http://www.google.co...com/search?&q="

FF - HKLM\software\mozilla\Firefox\extensions\\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0}: C:\Documents and Settings\khaller\Local Settings\Application Data\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0}\ [2011/05/10 22:16:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{DC172991-D018-4182-A7A0-7E7D26EFA1A6}: C:\Documents and Settings\Administrator\Local Settings\Application Data\{DC172991-D018-4182-A7A0-7E7D26EFA1A6} [2011/05/12 09:34:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/29 20:39:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/24 15:10:04 | 000,000,000 | ---D | M]

[2008/07/09 17:34:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\khaller\Application Data\Mozilla\Extensions
[2011/04/03 12:31:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\extensions
[2011/02/18 14:21:18 | 000,000,000 | ---D | M] (TinEye Reverse Image Search) -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\extensions\[email protected]
[2010/07/12 14:43:00 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\searchplugins\bing.xml
[2009/05/26 09:56:02 | 000,002,275 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\searchplugins\wolframalpha.xml
[2010/07/12 14:43:18 | 000,004,140 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\searchplugins\youtube.xml
[2011/04/03 12:31:29 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/01/23 01:41:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
File not found (No name found) --
[2011/05/12 09:34:55 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\{DC172991-D018-4182-A7A0-7E7D26EFA1A6}
[2011/05/10 22:16:13 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\KHALLER\LOCAL SETTINGS\APPLICATION DATA\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0}
[2009/01/05 10:33:35 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2009/06/24 09:38:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/04/29 20:39:31 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2009/04/29 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/01/26 11:38:29 | 000,028,488 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2010/09/28 11:43:10 | 000,239,496 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2010/01/26 11:38:48 | 000,099,224 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
[2010/01/26 11:38:28 | 000,061,848 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe (Sonix)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics Incorporated)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - HKCU..\Run: [KMsAsKYhhcwX] File not found
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: marketsight.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: retailbrandalliance.com ([]http in Trusted sites)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://download.micr...9E3A1BC/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://harrisongrou...ent/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NY.retailbrandalliance.ad
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\tpfnf2: DllName - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - C:\Program Files\Lenovo\HOTKEY\tphklock.dll - C:\Program Files\Lenovo\HOTKEY\tphklock.dll ()
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/09 02:20:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2330cd01-562e-11e0-acbb-001e4c39e391}\Shell\AutoRun\command - "" = E:\Setup_FlipShare.exe
O33 - MountPoints2\{2330cd01-562e-11e0-acbb-001e4c39e391}\Shell\Setup FlipShare\command - "" = E:\Setup_FlipShare.exe
O33 - MountPoints2\{2d03194c-c7f2-11dc-a76b-00059a3c7800}\Shell\AutoRun\command - "" = E:\wd_windows_tools\WDEULA.exe
O33 - MountPoints2\{4549b7a4-5982-11dd-a84d-001e4c39e391}\Shell - "" = AutoRun
O33 - MountPoints2\{4549b7a4-5982-11dd-a84d-001e4c39e391}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4549b7a4-5982-11dd-a84d-001e4c39e391}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{4549b7a6-5982-11dd-a84d-001e4c39e391}\Shell - "" = AutoRun
O33 - MountPoints2\{4549b7a6-5982-11dd-a84d-001e4c39e391}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4549b7a6-5982-11dd-a84d-001e4c39e391}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{5fb0c60f-415f-11de-a9a3-001e4cf9c397}\Shell\AutoRun\command - "" = E:\PC.exe
O33 - MountPoints2\{6db043c5-e04f-11de-aa91-001e4cf9c397}\Shell\AutoRun\command - "" = E:\__DTMEDIA\DTMedia.exe
O33 - MountPoints2\{6f0e0a8b-ddfc-11df-abf5-001e4c39e391}\Shell - "" = AutoRun
O33 - MountPoints2\{6f0e0a8b-ddfc-11df-abf5-001e4c39e391}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6f0e0a8b-ddfc-11df-abf5-001e4c39e391}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{827ecb4a-664c-11dd-a861-00059a3c7800}\Shell\AutoRun\command - "" = H:\wd_windows_tools\WDEULA.exe
O33 - MountPoints2\{84e4e472-6764-11e0-acd5-001e4c39e391}\Shell\AutoRun\command - "" = E:\urDrive.exe
O33 - MountPoints2\{a87a3300-199a-11e0-ac55-001e4c39e391}\Shell - "" = AutoRun
O33 - MountPoints2\{a87a3300-199a-11e0-ac55-001e4c39e391}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a87a3300-199a-11e0-ac55-001e4c39e391}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{cb7d8641-be4e-11dc-9b7b-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{cb7d8641-be4e-11dc-9b7b-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cb7d8641-be4e-11dc-9b7b-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe
O33 - MountPoints2\{cdd1ba3f-5ba1-11e0-acc2-001e4c39e391}\Shell\AutoRun\command - "" = E:\urDrive.exe
O33 - MountPoints2\{d6503350-eac8-11dc-a7a3-00059a3c7800}\Shell - "" = AutoRun
O33 - MountPoints2\{d6503350-eac8-11dc-a7a3-00059a3c7800}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d6503350-eac8-11dc-a7a3-00059a3c7800}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{f7db7dde-d1bb-11dc-a77c-00059a3c7800}\Shell\AutoRun\command - "" = E:\wd_windows_tools\WDEULA.exe
O33 - MountPoints2\{fc5ba1a0-995f-11de-aa2a-001e4cf9c397}\Shell\AutoRun\command - "" = E:\wd_windows_tools\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/14 00:11:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/05/14 00:10:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khaller\Application Data\SUPERAntiSpyware.com
[2011/05/14 00:10:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khaller\Start Menu\Programs\SUPERAntiSpyware
[2011/05/14 00:10:29 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/05/13 16:54:58 | 000,120,104 | ---- | C] (Synaptics Incorporated) -- C:\WINDOWS\System32\SynTPCo0.dll
[2011/05/13 15:43:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/05/12 20:32:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/12 20:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/05/12 20:31:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/05/12 08:53:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2011/05/12 08:37:36 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2011/05/12 08:37:36 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2011/05/12 08:37:36 | 000,026,624 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rw330ext.dll
[2011/05/12 08:35:37 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2011/05/10 22:16:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khaller\Local Settings\Application Data\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0}
[2008/01/09 18:29:05 | 000,167,936 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll
[2008/01/09 18:29:04 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll
[1 C:\Documents and Settings\khaller\*.tmp files -> C:\Documents and Settings\khaller\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/05/14 13:44:39 | 000,007,110 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/05/14 13:09:02 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/14 13:06:24 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2011/05/14 12:17:37 | 000,000,462 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2011/05/14 12:15:56 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2011/05/14 12:14:36 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/14 12:13:57 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/14 12:12:20 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/14 12:12:18 | 2103,734,272 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/14 00:10:46 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\khaller\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/13 17:16:16 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\khaller\Desktop\Microsoft Office Outlook 2003.lnk
[2011/05/13 16:56:10 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2011/05/13 16:56:04 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2011/05/13 15:43:51 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/05/12 21:02:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/12 18:49:24 | 000,000,174 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2011/05/12 17:50:35 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2011/05/12 12:47:30 | 000,001,329 | ---- | M] () -- C:\WINDOWS\Bloxebebebagu.dat
[2011/05/12 09:35:45 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Grutijosifaduju.bin
[2011/05/12 09:09:22 | 000,500,836 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/12 09:09:22 | 000,085,974 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/12 08:52:25 | 000,622,816 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/12 08:40:39 | 000,004,382 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/05/12 08:40:39 | 000,001,836 | ---- | M] () -- C:\WINDOWS\setupinf.mif
[2011/05/12 08:39:59 | 000,000,287 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2011/05/12 08:34:14 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2011/05/12 08:34:13 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/05/12 08:34:13 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/05/12 08:33:56 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2011/05/12 08:27:21 | 000,022,832 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/05/12 07:52:46 | 001,569,257 | ---- | M] () -- C:\WINDOWS\setupapi.old
[2011/05/10 22:12:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\khaller\2gweorjqjutp92vjy9gake
[2011/05/09 22:29:06 | 000,181,760 | ---- | M] () -- C:\Documents and Settings\khaller\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/02 08:55:44 | 000,000,826 | RHS- | M] () -- C:\Documents and Settings\khaller\ntuser.pol
[2011/05/01 15:30:29 | 000,006,272 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\PrimoPDFSet.xml
[2011/05/01 14:43:54 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/27 09:49:49 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/04/24 15:10:05 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/04/21 18:59:46 | 000,120,104 | ---- | M] (Synaptics Incorporated) -- C:\WINDOWS\System32\SynTPCo0.dll
[1 C:\Documents and Settings\khaller\*.tmp files -> C:\Documents and Settings\khaller\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/05/14 00:10:46 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\khaller\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/05/13 16:56:10 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2011/05/13 16:56:04 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2011/05/12 08:52:23 | 2103,734,272 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/12 08:40:39 | 000,001,836 | ---- | C] () -- C:\WINDOWS\setupinf.mif
[2011/05/12 08:37:25 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\dllcache\pintlcsa.dll
[2011/05/12 08:36:48 | 001,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2011/05/12 08:36:34 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2011/05/12 08:36:33 | 000,196,665 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imjpinst.exe
[2011/05/12 08:36:30 | 000,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2011/05/12 08:36:18 | 013,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2011/05/12 08:36:10 | 000,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2011/05/12 08:36:03 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\dllcache\fpencode.dll
[2011/05/12 08:35:41 | 000,173,568 | ---- | C] () -- C:\WINDOWS\System32\dllcache\chtskf.dll
[2011/05/12 08:32:39 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2011/05/12 08:27:25 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2011/05/11 13:15:27 | 000,141,702 | ---- | C] () -- C:\WINDOWS\System32\dllcache\netfx.cat
[2011/05/11 13:15:27 | 000,110,116 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tabletpc.cat
[2011/05/11 13:15:27 | 000,031,965 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mediactr.cat
[2011/05/11 13:15:27 | 000,024,209 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn7.cat
[2011/05/11 13:15:27 | 000,011,651 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn9.cat
[2011/05/11 13:15:26 | 002,012,670 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2011/05/11 13:15:26 | 001,042,903 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2011/05/11 13:15:26 | 000,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2011/05/11 13:15:26 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2011/05/11 13:15:26 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2011/05/11 13:15:26 | 000,031,281 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
[2011/05/11 13:15:26 | 000,013,753 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2011/05/11 13:15:26 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2011/05/11 13:15:26 | 000,009,581 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[2011/05/11 13:15:26 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2011/05/11 13:15:26 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2011/05/11 13:15:26 | 000,007,245 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2011/05/11 13:15:25 | 000,502,724 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2011/05/10 22:16:15 | 000,001,329 | ---- | C] () -- C:\WINDOWS\Bloxebebebagu.dat
[2011/05/10 22:16:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Grutijosifaduju.bin
[2011/05/10 22:12:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\khaller\2gweorjqjutp92vjy9gake
[2011/04/11 23:12:14 | 000,464,254 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2143859127-1516982502-3389632016-3411-0.dat
[2011/03/11 18:55:16 | 000,464,254 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/01/04 22:11:42 | 000,315,864 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/08/28 09:33:13 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf06a.dat
[2010/08/28 09:32:15 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2010/08/24 12:43:28 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/08/24 12:43:28 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2010/07/03 16:50:15 | 000,148,080 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/06/24 17:46:31 | 000,000,041 | ---- | C] () -- C:\WINDOWS\webica.ini
[2010/06/02 12:02:10 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2009/11/30 15:34:25 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2009/11/30 15:34:25 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2009/11/05 10:45:55 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\khaller\Application Data\winscp.rnd
[2009/10/21 12:24:15 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/05/13 13:02:24 | 000,050,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2009/02/05 17:44:41 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2008/11/22 01:18:40 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2008/10/06 10:17:13 | 000,000,078 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2008/06/12 14:35:50 | 000,163,896 | ---- | C] () -- C:\WINDOWS\sequencer.exe
[2008/06/12 14:35:18 | 000,000,175 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/30 10:20:12 | 000,006,272 | ---- | C] () -- C:\Documents and Settings\khaller\Application Data\PrimoPDFSet.xml
[2008/04/30 10:20:12 | 000,000,311 | ---- | C] () -- C:\Documents and Settings\khaller\Application Data\APUSet.xml
[2008/04/30 10:18:04 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/04/30 10:17:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/04/20 15:48:51 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7Q.DLL
[2008/03/19 10:50:15 | 000,048,586 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xpif-v02030a.dtd
[2008/03/12 13:21:21 | 000,181,760 | ---- | C] () -- C:\Documents and Settings\khaller\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/27 20:13:50 | 000,000,174 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2008/02/06 13:40:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2008/01/12 12:02:28 | 000,000,462 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/01/12 01:13:44 | 000,016,384 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2008/01/12 01:13:44 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2008/01/11 17:00:45 | 000,001,270 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2008/01/11 16:05:09 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2008/01/11 16:05:09 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2008/01/11 16:05:09 | 000,000,319 | ---- | C] () -- C:\WINDOWS\System32\HPB1320V.DAT
[2008/01/09 18:29:07 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2uvc.ini
[2008/01/09 18:29:05 | 009,598,080 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2008/01/09 06:59:51 | 000,000,041 | ---- | C] () -- C:\WINDOWS\CSERVE.INI
[2008/01/09 06:45:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/09 06:00:52 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2008/01/09 06:00:52 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2008/01/09 02:25:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/01/09 02:18:06 | 000,022,832 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/01/08 21:05:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/01/08 21:04:26 | 000,622,816 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/10/26 14:28:18 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/10/26 14:28:04 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/09 11:43:16 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4860.dll
[2007/08/09 11:28:52 | 000,910,464 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2007/02/27 18:48:38 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/02/27 18:29:32 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2006/11/06 17:49:36 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2006/06/14 12:26:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,500,836 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,085,974 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2008/04/20 15:48:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/10/22 16:46:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates
[2009/11/30 15:38:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
[2010/05/30 13:35:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/01/02 00:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Amazon
[2008/11/22 01:31:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Blackberry Desktop
[2010/08/28 09:10:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Canon
[2009/05/20 18:13:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\com.nyt.timesreader.78C54164786ADE80CB31E1C5D95607D0938C987A.1
[2010/06/22 11:26:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\ICAClient
[2008/07/14 16:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\InterVideo
[2009/05/24 14:39:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Leadertech
[2010/06/01 14:39:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\org.gapminder.desktop.434684C0EEE0B6011903D7CB9F42374B4E5823E7.1
[2008/11/22 01:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Research In Motion
[2010/02/08 15:12:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011/01/18 16:03:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\webex
[2009/05/26 15:50:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Windows Desktop Search
[2009/05/26 17:06:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Windows Search
[2009/05/05 15:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Xerox
[2011/05/14 13:06:24 | 000,000,298 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

========== Purity Check ==========

< End of report >

#3
michaelg9

Posted 18 May 2011 - 06:51 AM

Trusted Helper

Malware Removal
2,949 posts

. My name is Michael and I am here to help you fix your computer.

If you have already received help elsewhere please inform me so that this topic can be closed.
If you haven't, please keep reading:
Note: Before we start the process you should:

POST your logs, don't attach them, as it makes it harder to read.
Save or print these instructions as a part of the fix will be in safe mode where you will not be able to access the internet.
Disable ANY programs that offer real-time protection features while executing my instructions. That includes your antivirus, antispyware, windows defender or any other program that offers protection. When you're clean or waiting for my next set of instructions, re-enable them .If you need any help disabling them, ask.
Each time I instruct you to download a file to use it, please do it even if I have told you before to download it again. This is because these tools are frequently updated to detect newer infections.
Last, as most of the tools we use here need administrative rights in order to function properly, I expect that you will be running them from an administrator account.

Sorry for the late reply.

Is your Internet Service Provider named EarthLink?

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

Ensure all Firefox windows are closed.
To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
When prompted to run the scan, click Yes.
GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).

Next:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Next:
Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
FF - HKLM\software\mozilla\Firefox\extensions\\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0}: C:\Documents and Settings\khaller\Local Settings\Application
Data\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0}\ [2011/05/10 22:16:13 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{DC172991-D018-4182-A7A0-7E7D26EFA1A6}: C:\Documents and Settings\Administrator\Local Settings\Application
Data\{DC172991-D018-4182-A7A0-7E7D26EFA1A6} [2011/05/12 09:34:55 | 000,000,000 | ---D | M]
[2011/01/23 01:41:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
File not found (No name found) --
[2011/05/12 09:34:55 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\{DC172991-D018-4182-A7A0-7E7D26EFA1A6}
[2011/05/10 22:16:13 | 000,000,000 | ---D | M] (XULRunner) -- C:\DOCUMENTS AND SETTINGS\KHALLER\LOCAL SETTINGS\APPLICATION DATA\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0}
O4 - HKCU..\Run: [KMsAsKYhhcwX] File not found
O15 - HKCU\..Trusted Domains: marketsight.com ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: retailbrandalliance.com ([]http in Trusted sites)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NY.retailbrandalliance.ad
O33 - MountPoints2\{2330cd01-562e-11e0-acbb-001e4c39e391}\Shell\AutoRun\command - "" = E:\Setup_FlipShare.exe
O33 - MountPoints2\{2330cd01-562e-11e0-acbb-001e4c39e391}\Shell\Setup FlipShare\command - "" = E:\Setup_FlipShare.exe
O33 - MountPoints2\{2d03194c-c7f2-11dc-a76b-00059a3c7800}\Shell\AutoRun\command - "" = E:\wd_windows_tools\WDEULA.exe
O33 - MountPoints2\{4549b7a4-5982-11dd-a84d-001e4c39e391}\Shell - "" = AutoRun
O33 - MountPoints2\{4549b7a4-5982-11dd-a84d-001e4c39e391}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4549b7a4-5982-11dd-a84d-001e4c39e391}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{4549b7a6-5982-11dd-a84d-001e4c39e391}\Shell - "" = AutoRun
O33 - MountPoints2\{4549b7a6-5982-11dd-a84d-001e4c39e391}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4549b7a6-5982-11dd-a84d-001e4c39e391}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{5fb0c60f-415f-11de-a9a3-001e4cf9c397}\Shell\AutoRun\command - "" = E:\PC.exe
O33 - MountPoints2\{6db043c5-e04f-11de-aa91-001e4cf9c397}\Shell\AutoRun\command - "" = E:\__DTMEDIA\DTMedia.exe
O33 - MountPoints2\{6f0e0a8b-ddfc-11df-abf5-001e4c39e391}\Shell - "" = AutoRun
O33 - MountPoints2\{6f0e0a8b-ddfc-11df-abf5-001e4c39e391}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{6f0e0a8b-ddfc-11df-abf5-001e4c39e391}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{827ecb4a-664c-11dd-a861-00059a3c7800}\Shell\AutoRun\command - "" = H:\wd_windows_tools\WDEULA.exe
O33 - MountPoints2\{84e4e472-6764-11e0-acd5-001e4c39e391}\Shell\AutoRun\command - "" = E:\urDrive.exe
O33 - MountPoints2\{a87a3300-199a-11e0-ac55-001e4c39e391}\Shell - "" = AutoRun
O33 - MountPoints2\{a87a3300-199a-11e0-ac55-001e4c39e391}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{a87a3300-199a-11e0-ac55-001e4c39e391}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{cb7d8641-be4e-11dc-9b7b-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{cb7d8641-be4e-11dc-9b7b-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{cb7d8641-be4e-11dc-9b7b-806d6172696f}\Shell\AutoRun\command - "" = D:\setup.exe
O33 - MountPoints2\{cdd1ba3f-5ba1-11e0-acc2-001e4c39e391}\Shell\AutoRun\command - "" = E:\urDrive.exe
O33 - MountPoints2\{d6503350-eac8-11dc-a7a3-00059a3c7800}\Shell - "" = AutoRun
O33 - MountPoints2\{d6503350-eac8-11dc-a7a3-00059a3c7800}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{d6503350-eac8-11dc-a7a3-00059a3c7800}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{f7db7dde-d1bb-11dc-a77c-00059a3c7800}\Shell\AutoRun\command - "" = E:\wd_windows_tools\WDEULA.exe
O33 - MountPoints2\{fc5ba1a0-995f-11de-aa2a-001e4cf9c397}\Shell\AutoRun\command - "" = E:\wd_windows_tools\setup.exe
[2011/05/10 22:16:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khaller\Local Settings\Application Data\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0}
[1 C:\Documents and Settings\khaller\*.tmp files -> C:\Documents and Settings\khaller\*.tmp -> ]
[2011/05/12 12:47:30 | 000,001,329 | ---- | M] () -- C:\WINDOWS\Bloxebebebagu.dat
[2011/05/12 09:35:45 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Grutijosifaduju.bin
[2011/05/10 22:12:47 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\khaller\2gweorjqjutp92vjy9gake
[2011/05/10 22:16:15 | 000,001,329 | ---- | C] () -- C:\WINDOWS\Bloxebebebagu.dat
[2011/05/10 22:16:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Grutijosifaduju.bin
[2011/05/10 22:12:47 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\khaller\2gweorjqjutp92vjy9gake
[2009/02/05 17:44:41 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Next:
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

You have work to do :yes:

#4
krhaller

Posted 18 May 2011 - 05:19 PM

Member

Topic Starter
Member
29 posts

Michael,

Thanks much. I just got home and am starting your instructions. I will post the first results as soon as it runs.

-Karl

#5
krhaller

Posted 18 May 2011 - 05:24 PM

Member

Topic Starter
Member
29 posts

Here's the GooredFix log. Running ComboFix now.
And yes, Earthlink (thru Time Warner Cable pipes) is my ISP.

-Karl
________________________

GooredFix by jpshortstuff (03.07.10.1)
Log created at 19:23 on 18/05/2011 (khaller)
Firefox version 4.0.1 (en-US)

========== GooredScan ==========

Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0} -> Success!
Deleting C:\Documents and Settings\khaller\Local Settings\Application Data\{ECDCBFB7-DAB1-429A-BAF2-A8C1F33426F0} -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{DC172991-D018-4182-A7A0-7E7D26EFA1A6} -> Success!
Deleting C:\Documents and Settings\Administrator\Local Settings\Application Data\{DC172991-D018-4182-A7A0-7E7D26EFA1A6} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [16:31 03/04/2011]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [21:39 09/07/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [14:34 05/01/2009]
{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [05:41 23/01/2011]

C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\extensions\
[email protected] [18:21 18/02/2011]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [15:09 28/01/2009]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [14:33 05/01/2009]

-=E.O.F=-

#6
krhaller

Posted 18 May 2011 - 06:05 PM

Member

Topic Starter
Member
29 posts

Here is the ComboFix log.

-Karl
________________________

ComboFix 11-05-17.03 - khaller 05/18/2011 19:51:04.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2006.1420 [GMT -4:00]
Running from: c:\documents and settings\khaller\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *Enabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Start Menu\Programs\Internet Explorer.lnk
c:\documents and settings\khaller\2gweorjqjutp92vjy9gake
c:\documents and settings\khaller\Application Data\Adobe\plugs
c:\documents and settings\khaller\Application Data\Adobe\shed
c:\documents and settings\khaller\Application Data\Adobe\shed\thr1.chm
c:\documents and settings\khaller\g2mdlhlpx.exe
c:\documents and settings\khaller\WINDOWS
.
.
((((((((((((((((((((((((( Files Created from 2011-04-18 to 2011-05-18 )))))))))))))))))))))))))))))))
.
.
2011-05-14 04:11 . 2011-05-14 04:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-13 20:55 . 2008-11-07 22:55 16928 ------w- c:\windows\system32\spmsgXP_2k3.dll
2011-05-13 20:55 . 2009-08-07 14:49 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2011-05-13 20:54 . 2011-04-21 22:59 120104 ----a-w- c:\windows\system32\SynTPCo0.dll
2011-05-13 00:32 . 2011-05-13 00:34 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-05-12 13:35 . 2011-05-12 13:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Identities
2011-05-12 13:35 . 2011-05-12 13:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Apple Computer
2011-05-12 13:35 . 2011-05-12 13:35 -------- d-----w- c:\documents and settings\Administrator\Application Data\Windows Desktop Search
2011-05-12 13:35 . 2007-08-09 14:31 172032 ----a-w- c:\windows\system32\igfxres.dll
2011-05-12 12:37 . 2004-08-04 12:00 46592 -c--a-w- c:\windows\system32\dllcache\sspifilt.dll
2011-05-12 12:36 . 2004-08-04 12:00 7680 -c--a-w- c:\windows\system32\dllcache\migregdb.exe
2011-05-12 12:35 . 2004-08-04 12:00 92160 -c--a-w- c:\windows\system32\dllcache\evntwin.exe
2011-05-12 12:34 . 2004-08-04 12:00 29696 -c--a-w- c:\windows\system32\dllcache\admexs.dll
2011-05-12 12:32 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-05-12 12:32 . 2004-08-04 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-05-12 12:30 . 2004-08-04 12:00 32768 -c--a-w- c:\windows\system32\dllcache\icwdl.dll
2011-05-12 12:30 . 2004-08-04 12:00 32768 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwdl.dll
2011-05-12 12:30 . 2004-08-04 12:00 20480 -c--a-w- c:\windows\system32\dllcache\inetwiz.exe
2011-05-12 12:30 . 2004-08-04 12:00 20480 ----a-w- c:\program files\Internet Explorer\Connection Wizard\inetwiz.exe
2011-05-12 12:30 . 2004-08-04 12:00 86016 -c--a-w- c:\windows\system32\dllcache\icwconn2.exe
2011-05-12 12:30 . 2004-08-04 12:00 86016 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn2.exe
2011-05-12 12:30 . 2004-08-04 12:00 214528 -c--a-w- c:\windows\system32\dllcache\icwconn1.exe
2011-05-12 12:30 . 2004-08-04 12:00 214528 ----a-w- c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe
2011-05-12 12:10 . 2004-08-04 12:00 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-05-12 12:10 . 2004-08-04 12:00 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-05-12 12:10 . 2004-08-04 12:00 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-05-12 12:10 . 2004-08-04 12:00 13312 ----a-w- c:\windows\system32\irclass.dll
2011-05-11 16:19 . 2011-05-11 16:19 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-05-11 16:17 . 2011-05-11 16:17 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-05-11 02:16 . 2011-05-12 13:35 0 ----a-w- c:\windows\Grutijosifaduju.bin
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-21 23:00 . 2003-06-24 19:16 1342768 ----a-w- c:\windows\system32\drivers\SynTP.sys
2011-04-21 22:59 . 2003-06-24 19:22 173352 ----a-w- c:\windows\system32\SynTPAPI.dll
2011-04-21 22:59 . 2003-06-24 19:25 222504 ----a-w- c:\windows\system32\SynCtrl.dll
2011-04-21 22:59 . 2003-06-24 19:24 177448 ----a-w- c:\windows\system32\SynCOM.dll
2010-01-26 15:38 . 2009-05-13 17:02 28488 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-09-28 15:43 . 2009-05-13 17:02 239496 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-01-26 15:38 . 2010-01-26 15:38 99224 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-04-30 00:39 . 2011-04-03 16:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-04-30 00:07 . 2009-10-22 20:50 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"TPHOTKEY"="c:\program files\Lenovo\HOTKEY\TPOSDSVC.exe" [2007-03-09 66176]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2006-12-29 569344]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2011-04-21 132392]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2011-04-21 2241832]
"LPManager"="c:\progra~1\THINKV~1\PrdCtr\LPMGR.exe" [2007-04-27 120368]
"TpShocks"="TpShocks.exe" [2007-09-28 181544]
"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]
"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-02-02 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-04-30 124240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-04-09 1015808]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\ThinkPad\Bluetooth Software\BTTray.exe [2007-2-27 561213]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2009-4-3 6144]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]
2006-09-06 21:37 34344 ----a-w- c:\program files\Lenovo\HOTKEY\notifyf2.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
2006-12-14 16:06 28672 ----a-w- c:\program files\Lenovo\HOTKEY\tphklock.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0sprestrt
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [9/28/2007 5:28 PM 19504]
R2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\EngineServer.exe [4/29/2009 8:07 PM 21256]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [10/22/2009 4:50 PM 70216]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/9/2010 11:57 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [12/9/2010 11:57 AM 136176]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [10/22/2009 4:50 PM 65224]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-09 15:57]
.
2011-05-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-12-09 15:57]
.
2011-05-18 c:\windows\Tasks\PMTask.job
- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2008-01-12 06:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://retailbrandalliance.com/
uInternet Connection Wizard,ShellNext = hxxp://retailbrandalliance.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm
Trusted Zone: marketsight.com
Trusted Zone: retailbrandalliance.com
FF - ProfilePath - c:\documents and settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\
FF - prefs.js: browser.startup.homepage - hxxp://retailbrandalliance.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-KMsAsKYhhcwX - c:\documents and settings\All Users\Application Data\KMsAsKYhhcwX.exe
MSConfigStartUp-Fdisilo - c:\windows\mspims.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-18 19:56
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1892)
c:\program files\Lenovo\HOTKEY\tphklock.dll
c:\windows\system32\netprovcredman.dll
.
Completion time: 2011-05-18 20:00:21
ComboFix-quarantined-files.txt 2011-05-19 00:00
.
Pre-Run: 12,196,954,112 bytes free
Post-Run: 12,177,928,192 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 74ED51BC71EACB6FEE5FB0A197ECD0C4

#7
krhaller

Posted 18 May 2011 - 06:27 PM

Member

Topic Starter
Member
29 posts

Here are the OTL Quick Scan results. GMER is next.

-Karl

____________

OTL logfile created on: 5/18/2011 8:15:27 PM - Run 2
OTL by OldTimer - Version 3.2.22.3 Folder = C:\Documents and Settings\khaller\My Documents\Program Files (KRH)\Anti-Malware (Geeks To Go)\OTL
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.05 Gb Total Space | 11.56 Gb Free Space | 7.75% Space Free | Partition Type: NTFS

Computer Name: KHALLERXP1-346 | User Name: khaller | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/05/14 13:37:09 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\khaller\My Documents\Program Files (KRH)\Anti-Malware (Geeks To Go)\OTL\OTL.exe
PRC - [2011/04/21 19:00:20 | 000,132,392 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2009/04/29 20:07:00 | 000,144,888 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
PRC - [2009/04/29 20:07:00 | 000,124,240 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
PRC - [2009/04/29 20:07:00 | 000,070,216 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2009/04/29 20:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
PRC - [2009/04/29 20:07:00 | 000,027,960 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
PRC - [2009/04/29 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe
PRC - [2009/01/16 16:00:00 | 000,226,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
PRC - [2009/01/16 16:00:00 | 000,136,512 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\UdaterUI.exe
PRC - [2009/01/16 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe
PRC - [2009/01/16 16:00:00 | 000,091,456 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\Common Framework\McTray.exe
PRC - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2007/04/06 10:25:56 | 000,364,628 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2007/03/09 15:49:42 | 000,066,176 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe
PRC - [2007/03/08 14:16:48 | 000,073,776 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe
PRC - [2007/02/27 18:43:30 | 000,561,213 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe
PRC - [2007/02/27 18:35:04 | 000,266,295 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe
PRC - [2006/12/28 20:48:10 | 000,569,344 | ---- | M] (Sonix) -- C:\WINDOWS\vsnp2uvc.exe
PRC - [2006/09/06 17:39:10 | 000,091,688 | ---- | M] (Lenovo Group Limited) -- C:\Program Files\Lenovo\ZOOM\TpScrex.exe
PRC - [2006/05/12 16:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) -- C:\Program Files\RealVNC\VNC4\winvnc4.exe
PRC - [2006/02/02 05:20:00 | 000,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\DLA\DLACTRLW.EXE
PRC - [2004/08/04 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (SafeList) ==========

MOD - [2011/05/14 13:37:09 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\khaller\My Documents\Program Files (KRH)\Anti-Malware (Geeks To Go)\OTL\OTL.exe
MOD - [2010/08/23 12:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2007/02/27 18:48:08 | 000,077,824 | ---- | M] (Broadcom Corporation.) -- C:\WINDOWS\system32\BtMmHook.dll

========== Win32 Services (SafeList) ==========

SRV - [2009/09/18 04:00:00 | 000,764,768 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2009/09/18 04:00:00 | 000,246,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\WINDOWS\System32\CCM\TSManager.exe -- (smstsmgr)
SRV - [2009/04/29 20:07:00 | 000,144,888 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe -- (McShield)
SRV - [2009/04/29 20:07:00 | 000,070,216 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2009/04/29 20:07:00 | 000,062,800 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe -- (McTaskManager)
SRV - [2009/04/29 20:07:00 | 000,021,256 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\VirusScan Enterprise\EngineServer.exe -- (McAfeeEngineService)
SRV - [2009/01/16 16:00:00 | 000,103,744 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\Common Framework\FrameworkService.exe -- (McAfeeFramework)
SRV - [2007/10/26 14:28:06 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/04/06 10:25:56 | 000,364,628 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (acs)
SRV - [2007/02/27 18:35:04 | 000,266,295 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\ThinkPad\Bluetooth Software\bin\btwdins.exe -- (btwdins)
SRV - [2006/05/12 16:04:08 | 000,439,248 | ---- | M] (RealVNC Ltd.) [Auto | Running] -- C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- (WinVNC4)

========== Driver Services (SafeList) ==========

DRV - [2009/09/18 04:00:00 | 000,020,848 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2009/04/29 20:07:00 | 000,342,128 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/04/29 20:07:00 | 000,091,640 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/04/29 20:07:00 | 000,075,704 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2009/04/29 20:07:00 | 000,065,224 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2009/04/29 20:07:00 | 000,063,696 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdik.sys -- (mfetdik)
DRV - [2009/04/29 20:07:00 | 000,043,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2008/10/20 20:08:06 | 000,012,448 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smsmdm.sys -- (smsmdd)
DRV - [2007/11/20 17:39:56 | 000,012,288 | ---- | M] (Intel Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\s24trans.sys -- (s24trans)
DRV - [2007/10/26 14:27:00 | 000,306,300 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/09/28 17:29:00 | 000,103,472 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\Apsx86.sys -- (Shockprf)
DRV - [2007/09/28 17:28:00 | 000,019,504 | ---- | M] (Lenovo.) [Kernel | Boot | Running] -- C:\WINDOWS\System32\DRIVERS\ApsHM86.sys -- (TPDIGIMN)
DRV - [2007/09/21 02:19:00 | 000,004,442 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\TPPWRIF.SYS -- (TPPWRIF)
DRV - [2007/05/14 13:21:16 | 000,057,216 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/03/27 06:27:02 | 000,543,712 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2007/02/27 19:02:00 | 000,868,042 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btkrnl.sys -- (BTKRNL)
DRV - [2007/02/16 16:09:06 | 009,598,080 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\snp2uvc.sys -- (SNP2UVC) USB2.0 PC Camera (SNP2UVC)
DRV - [2007/01/31 13:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/24 19:33:00 | 000,530,861 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btaudio.sys -- (btaudio)
DRV - [2007/01/24 19:27:00 | 000,067,960 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwusb.sys -- (BTWUSB)
DRV - [2007/01/18 16:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/12/22 12:56:00 | 000,988,800 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2006/12/22 12:56:00 | 000,209,664 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWAZL.sys -- (HSFHWAZL)
DRV - [2006/12/22 12:55:00 | 000,730,112 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/10/15 16:01:00 | 000,149,123 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\btwdndis.sys -- (BTWDNDIS)
DRV - [2006/10/10 00:00:00 | 000,030,459 | ---- | M] (Broadcom Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\btport.sys -- (BTDriver)
DRV - [2006/02/02 05:20:00 | 000,094,332 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDFAM.SYS -- (DLAUDFAM)
DRV - [2006/02/02 05:20:00 | 000,087,036 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAUDF_M.SYS -- (DLAUDF_M)
DRV - [2006/02/02 05:20:00 | 000,086,652 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAIFS_M.SYS -- (DLAIFS_M)
DRV - [2006/02/02 05:20:00 | 000,025,628 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLABOIOM.SYS -- (DLABOIOM)
DRV - [2006/02/02 05:20:00 | 000,014,684 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAOPIOM.SYS -- (DLAOPIOM)
DRV - [2006/02/02 05:20:00 | 000,006,364 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLAPoolM.SYS -- (DLAPoolM)
DRV - [2006/02/02 05:20:00 | 000,002,496 | ---- | M] (Sonic Solutions) [File_System | Auto | Running] -- C:\WINDOWS\system32\DLA\DLADResN.SYS -- (DLADResN)
DRV - [2005/11/18 12:02:50 | 000,005,660 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLACDBHM.SYS -- (DLACDBHM)
DRV - [2005/11/18 12:02:10 | 000,022,684 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\DLARTL_N.SYS -- (DLARTL_N)
DRV - [2005/01/26 10:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://retailbrandalliance.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://retailbrandalliance.com/"
FF - prefs.js..extensions.enabledItems: [email protected]:1.0
FF - prefs.js..extensions.enabledItems: [email protected]:1.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}:6.0.23
FF - prefs.js..keyword.URL: "http://www.google.co...com/search?&q="

FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/04/29 20:39:39 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/24 15:10:04 | 000,000,000 | ---D | M]

[2008/07/09 17:34:51 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\khaller\Application Data\Mozilla\Extensions
[2011/04/03 12:31:58 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\extensions
[2011/02/18 14:21:18 | 000,000,000 | ---D | M] (TinEye Reverse Image Search) -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\extensions\[email protected]
[2010/07/12 14:43:00 | 000,001,820 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\searchplugins\bing.xml
[2009/05/26 09:56:02 | 000,002,275 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\searchplugins\wolframalpha.xml
[2010/07/12 14:43:18 | 000,004,140 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Mozilla\Firefox\Profiles\1d9xfj0p.default\searchplugins\youtube.xml
[2011/05/18 20:07:31 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
File not found (No name found) --
[2009/01/05 10:33:35 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
File not found (No name found) -- C:\PROGRAM FILES\MOZILLA FIREFOX\EXTENSIONS\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2009/06/24 09:38:44 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/04/29 20:39:31 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2009/04/29 20:07:00 | 000,023,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2010/01/26 11:38:29 | 000,028,488 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\atgpcdec.dll
[2010/09/28 11:43:10 | 000,239,496 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\Mozilla Firefox\plugins\atgpcext.dll
[2010/01/26 11:38:48 | 000,099,224 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\ieatgpc.dll
[2010/01/26 11:38:28 | 000,061,848 | ---- | M] (WebEx Communications, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npatgpc.dll
[2010/11/12 19:53:06 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 04:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/05/18 19:56:38 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptsn.dll (McAfee, Inc.)
O4 - HKLM..\Run: [BLOG] C:\Program Files\ThinkPad\Utilities\BATLOGEX.DLL ()
O4 - HKLM..\Run: [DLA] C:\WINDOWS\system32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [McAfeeUpdaterUI] C:\Program Files\McAfee\Common Framework\udaterui.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PWRMGRTR] C:\Program Files\ThinkPad\Utilities\PWRMGRTR.DLL (Lenovo Group Limited)
O4 - HKLM..\Run: [ShStatEXE] C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE (McAfee, Inc.)
O4 - HKLM..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe (Sonix)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics Incorporated)
O4 - HKLM..\Run: [TPHOTKEY] C:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exe (Lenovo Group Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk = C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk = C:\WINDOWS\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableCAD = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm ()
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\ThinkPad\Bluetooth Software\btsendto_ie.htm ()
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://download.micr...9E3A1BC/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_23)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://harrisongrou...ent/ieatgpc.cab (GpcContainer Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 207.69.188.185 207.69.188.186 207.69.188.187
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NY.retailbrandalliance.ad
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\tpfnf2: DllName - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll - C:\Program Files\Lenovo\HOTKEY\notifyf2.dll ()
O20 - Winlogon\Notify\tphotkey: DllName - C:\Program Files\Lenovo\HOTKEY\tphklock.dll - C:\Program Files\Lenovo\HOTKEY\tphklock.dll ()
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/01/09 02:20:59 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (sprestrt) - C:\WINDOWS\System32\sprestrt.exe (Microsoft Corporation)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/05/18 20:09:18 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2011/05/18 20:06:56 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/05/18 19:43:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2011/05/18 19:38:16 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/05/18 19:23:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\khaller\Desktop\GooredFix Backups
[2011/05/18 19:20:59 | 000,071,398 | ---- | C] (jpshortstuff) -- C:\Documents and Settings\khaller\Desktop\GooredFix.exe
[2011/05/14 20:14:44 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/05/14 20:14:43 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/05/14 20:14:43 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/05/14 20:14:29 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/05/14 20:12:55 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/05/14 00:11:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/05/13 16:54:58 | 000,120,104 | ---- | C] (Synaptics Incorporated) -- C:\WINDOWS\System32\SynTPCo0.dll
[2011/05/13 15:43:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2011/05/12 20:32:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/05/12 20:31:23 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/05/12 20:31:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/05/12 08:53:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Prefetch
[2011/05/12 08:37:36 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia330.dll
[2011/05/12 08:37:36 | 000,079,872 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rwia001.dll
[2011/05/12 08:37:36 | 000,026,624 | ---- | C] (Ricoh Co., Ltd.) -- C:\WINDOWS\System32\dllcache\rw330ext.dll
[2011/05/12 08:35:37 | 000,054,528 | ---- | C] (Philips Semiconductors GmbH) -- C:\WINDOWS\System32\dllcache\cap7146.sys
[2008/01/09 18:29:05 | 000,167,936 | ---- | C] ( ) -- C:\WINDOWS\System32\rsnp2uvc.dll
[2008/01/09 18:29:04 | 000,053,248 | ---- | C] ( ) -- C:\WINDOWS\System32\csnp2uvc.dll

========== Files - Modified Within 30 Days ==========

[2011/05/18 20:17:40 | 000,000,298 | ---- | M] () -- C:\WINDOWS\tasks\PMTask.job
[2011/05/18 20:15:11 | 000,000,462 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2011/05/18 20:14:14 | 000,002,447 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
[2011/05/18 20:13:11 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/05/18 20:12:42 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/05/18 20:11:05 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/05/18 20:11:03 | 2103,750,656 | -HS- | M] () -- C:\hiberfil.sys
[2011/05/18 20:09:00 | 000,000,888 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/05/18 19:56:38 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/05/18 19:44:07 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2011/05/18 19:17:49 | 000,293,775 | ---- | M] () -- C:\Documents and Settings\khaller\Desktop\gmer.zip
[2011/05/18 19:16:10 | 004,351,251 | R--- | M] () -- C:\Documents and Settings\khaller\Desktop\ComboFix.exe
[2011/05/18 19:15:23 | 000,071,398 | ---- | M] (jpshortstuff) -- C:\Documents and Settings\khaller\Desktop\GooredFix.exe
[2011/05/18 19:08:05 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/05/15 14:01:04 | 000,007,110 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/05/13 17:16:16 | 000,002,521 | ---- | M] () -- C:\Documents and Settings\khaller\Desktop\Microsoft Office Outlook 2003.lnk
[2011/05/13 16:56:10 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2011/05/13 16:56:04 | 000,000,000 | -H-- | M] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2011/05/13 15:43:51 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/05/12 21:02:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/05/12 18:49:24 | 000,000,174 | ---- | M] () -- C:\WINDOWS\hpbafd.ini
[2011/05/12 17:50:35 | 000,001,493 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Explorer.lnk
[2011/05/12 09:09:22 | 000,500,836 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/05/12 09:09:22 | 000,085,974 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/05/12 08:52:25 | 000,622,816 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/05/12 08:40:39 | 000,004,382 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/05/12 08:40:39 | 000,001,836 | ---- | M] () -- C:\WINDOWS\setupinf.mif
[2011/05/12 08:39:59 | 000,000,287 | ---- | M] () -- C:\WINDOWS\System32\$winnt$.inf
[2011/05/12 08:34:14 | 000,316,640 | ---- | M] () -- C:\WINDOWS\WMSysPr9.prx
[2011/05/12 08:34:13 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/05/12 08:34:13 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/05/12 08:33:56 | 000,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2011/05/12 08:27:21 | 000,022,832 | ---- | M] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/05/12 07:52:46 | 001,569,257 | ---- | M] () -- C:\WINDOWS\setupapi.old
[2011/05/09 22:29:06 | 000,181,760 | ---- | M] () -- C:\Documents and Settings\khaller\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/05/02 08:55:44 | 000,000,826 | RHS- | M] () -- C:\Documents and Settings\khaller\ntuser.pol
[2011/05/01 15:30:29 | 000,006,272 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\PrimoPDFSet.xml
[2011/05/01 14:43:54 | 000,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/04/27 09:49:49 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\khaller\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk
[2011/04/24 15:10:05 | 000,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2011/04/21 18:59:46 | 000,120,104 | ---- | M] (Synaptics Incorporated) -- C:\WINDOWS\System32\SynTPCo0.dll

========== Files Created - No Company Name ==========

[2011/05/18 19:44:07 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2011/05/18 19:44:03 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2011/05/18 19:22:51 | 000,293,775 | ---- | C] () -- C:\Documents and Settings\khaller\Desktop\gmer.zip
[2011/05/18 19:21:17 | 004,351,251 | R--- | C] () -- C:\Documents and Settings\khaller\Desktop\ComboFix.exe
[2011/05/14 20:14:46 | 000,089,088 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/05/14 20:14:44 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/05/14 20:14:44 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/05/14 20:14:44 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/05/14 20:14:44 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/05/13 16:56:10 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\Msft_Kernel_SynTP_01009.Wdf
[2011/05/13 16:56:04 | 000,000,000 | -H-- | C] () -- C:\WINDOWS\System32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
[2011/05/12 08:52:23 | 2103,750,656 | -HS- | C] () -- C:\hiberfil.sys
[2011/05/12 08:40:39 | 000,001,836 | ---- | C] () -- C:\WINDOWS\setupinf.mif
[2011/05/12 08:37:25 | 000,175,104 | ---- | C] () -- C:\WINDOWS\System32\dllcache\pintlcsa.dll
[2011/05/12 08:36:48 | 001,158,818 | ---- | C] () -- C:\WINDOWS\System32\dllcache\korwbrkr.lex
[2011/05/12 08:36:34 | 000,059,392 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imscinst.exe
[2011/05/12 08:36:33 | 000,196,665 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imjpinst.exe
[2011/05/12 08:36:30 | 000,134,339 | ---- | C] () -- C:\WINDOWS\System32\dllcache\imekr.lex
[2011/05/12 08:36:18 | 013,463,552 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hwxjpn.dll
[2011/05/12 08:36:10 | 000,108,827 | ---- | C] () -- C:\WINDOWS\System32\dllcache\hanja.lex
[2011/05/12 08:36:03 | 000,094,208 | ---- | C] () -- C:\WINDOWS\System32\dllcache\fpencode.dll
[2011/05/12 08:35:41 | 000,173,568 | ---- | C] () -- C:\WINDOWS\System32\dllcache\chtskf.dll
[2011/05/12 08:32:39 | 000,000,786 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Movie Maker.lnk
[2011/05/12 08:27:25 | 000,000,609 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Messenger.lnk
[2011/05/11 13:15:27 | 000,141,702 | ---- | C] () -- C:\WINDOWS\System32\dllcache\netfx.cat
[2011/05/11 13:15:27 | 000,110,116 | ---- | C] () -- C:\WINDOWS\System32\dllcache\tabletpc.cat
[2011/05/11 13:15:27 | 000,031,965 | ---- | C] () -- C:\WINDOWS\System32\dllcache\mediactr.cat
[2011/05/11 13:15:27 | 000,024,209 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn7.cat
[2011/05/11 13:15:27 | 000,011,651 | ---- | C] () -- C:\WINDOWS\System32\dllcache\msn9.cat
[2011/05/11 13:15:26 | 002,012,670 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5.CAT
[2011/05/11 13:15:26 | 001,042,903 | ---- | C] () -- C:\WINDOWS\System32\dllcache\SP2.CAT
[2011/05/11 13:15:26 | 000,797,189 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5IIS.CAT
[2011/05/11 13:15:26 | 000,399,645 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MAPIMIG.CAT
[2011/05/11 13:15:26 | 000,037,484 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MW770.CAT
[2011/05/11 13:15:26 | 000,031,281 | ---- | C] () -- C:\WINDOWS\System32\dllcache\FP4.CAT
[2011/05/11 13:15:26 | 000,013,753 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IMS.CAT
[2011/05/11 13:15:26 | 000,013,472 | ---- | C] () -- C:\WINDOWS\System32\dllcache\HPCRDP.CAT
[2011/05/11 13:15:26 | 000,009,581 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSMSGS.CAT
[2011/05/11 13:15:26 | 000,008,574 | ---- | C] () -- C:\WINDOWS\System32\dllcache\IASNT4.CAT
[2011/05/11 13:15:26 | 000,007,382 | ---- | C] () -- C:\WINDOWS\System32\dllcache\OEMBIOS.CAT
[2011/05/11 13:15:26 | 000,007,245 | ---- | C] () -- C:\WINDOWS\System32\dllcache\MSTSWEB.CAT
[2011/05/11 13:15:25 | 000,502,724 | ---- | C] () -- C:\WINDOWS\System32\dllcache\NT5INF.CAT
[2011/04/11 23:12:14 | 000,464,254 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-2143859127-1516982502-3389632016-3411-0.dat
[2011/03/11 18:55:16 | 000,464,254 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/01/04 22:11:42 | 000,315,864 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/08/28 09:33:13 | 000,000,050 | ---- | C] () -- C:\WINDOWS\System32\bridf06a.dat
[2010/08/28 09:32:15 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\BrMuSNMP.dll
[2010/08/24 12:43:28 | 000,000,419 | ---- | C] () -- C:\WINDOWS\BRWMARK.INI
[2010/08/24 12:43:28 | 000,000,027 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
[2010/07/03 16:50:15 | 000,148,080 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2010/06/24 17:46:31 | 000,000,041 | ---- | C] () -- C:\WINDOWS\webica.ini
[2010/06/02 12:02:10 | 000,004,764 | ---- | C] () -- C:\WINDOWS\System32\CcmFramework.ini
[2009/11/30 15:34:25 | 000,001,025 | ---- | C] () -- C:\WINDOWS\System32\sysprs7.dll
[2009/11/30 15:34:25 | 000,000,205 | ---- | C] () -- C:\WINDOWS\System32\lsprst7.dll
[2009/11/05 10:45:55 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\khaller\Application Data\winscp.rnd
[2009/10/21 12:24:15 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/05/13 13:02:24 | 000,050,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\atnt40k.sys
[2008/11/22 01:18:40 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\pool.bin
[2008/10/06 10:17:13 | 000,000,078 | ---- | C] () -- C:\WINDOWS\ricdb.ini
[2008/06/12 14:35:50 | 000,163,896 | ---- | C] () -- C:\WINDOWS\sequencer.exe
[2008/06/12 14:35:18 | 000,000,175 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/04/30 10:20:12 | 000,006,272 | ---- | C] () -- C:\Documents and Settings\khaller\Application Data\PrimoPDFSet.xml
[2008/04/30 10:20:12 | 000,000,311 | ---- | C] () -- C:\Documents and Settings\khaller\Application Data\APUSet.xml
[2008/04/30 10:18:04 | 000,176,235 | ---- | C] () -- C:\WINDOWS\System32\Primomonnt.dll
[2008/04/30 10:17:39 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2008/04/20 15:48:51 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7Q.DLL
[2008/03/19 10:50:15 | 000,048,586 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\xpif-v02030a.dtd
[2008/03/12 13:21:21 | 000,181,760 | ---- | C] () -- C:\Documents and Settings\khaller\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/02/27 20:13:50 | 000,000,174 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2008/02/06 13:40:26 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PROTOCOL.INI
[2008/01/12 12:02:28 | 000,000,462 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/01/12 01:13:44 | 000,016,384 | ---- | C] () -- C:\WINDOWS\PWMBTHLP.EXE
[2008/01/12 01:13:44 | 000,004,442 | ---- | C] () -- C:\WINDOWS\System32\drivers\TPPWRIF.SYS
[2008/01/11 17:00:45 | 000,001,270 | ---- | C] () -- C:\WINDOWS\hpbvnstp.ini
[2008/01/11 16:05:09 | 000,192,512 | ---- | C] () -- C:\WINDOWS\System32\HPB1320V.DLL
[2008/01/11 16:05:09 | 000,094,274 | ---- | C] () -- C:\WINDOWS\System32\HPBHEALR.DLL
[2008/01/11 16:05:09 | 000,000,319 | ---- | C] () -- C:\WINDOWS\System32\HPB1320V.DAT
[2008/01/09 18:29:07 | 000,015,497 | ---- | C] () -- C:\WINDOWS\snp2uvc.ini
[2008/01/09 18:29:05 | 009,598,080 | ---- | C] () -- C:\WINDOWS\System32\drivers\snp2uvc.sys
[2008/01/09 06:59:51 | 000,000,041 | ---- | C] () -- C:\WINDOWS\CSERVE.INI
[2008/01/09 06:45:57 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/01/09 06:00:52 | 000,651,264 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2008/01/09 06:00:52 | 000,147,456 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2008/01/09 02:25:54 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2008/01/09 02:18:06 | 000,022,832 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/01/08 21:05:54 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2008/01/08 21:04:26 | 000,622,816 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2007/10/26 14:28:18 | 000,197,408 | ---- | C] () -- C:\WINDOWS\System32\vpnapi.dll
[2007/10/26 14:28:04 | 000,193,312 | ---- | C] () -- C:\WINDOWS\System32\CSGina.dll
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/08/09 11:43:16 | 000,204,800 | ---- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4860.dll
[2007/08/09 11:28:52 | 000,910,464 | ---- | C] () -- C:\WINDOWS\System32\igmedkrn.dll
[2007/02/27 18:48:38 | 002,842,624 | ---- | C] () -- C:\WINDOWS\System32\btwicons.dll
[2007/02/27 18:29:32 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\btprn2k.dll
[2006/11/06 17:49:36 | 000,000,310 | ---- | C] () -- C:\WINDOWS\primopdf.ini
[2006/06/14 12:26:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/04 08:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2004/08/04 08:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2004/08/04 08:00:00 | 000,500,836 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2004/08/04 08:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2004/08/04 08:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2004/08/04 08:00:00 | 000,085,974 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2004/08/04 08:00:00 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\ieencode.dll
[2004/08/04 08:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2004/08/04 08:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2004/08/04 08:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys
[2004/08/04 08:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2004/08/04 08:00:00 | 000,004,463 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2004/08/04 08:00:00 | 000,001,788 | ---- | C] () -- C:\WINDOWS\System32\Dcache.bin
[2004/08/04 08:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2001/11/14 13:56:00 | 001,802,240 | ---- | C] () -- C:\WINDOWS\System32\lcppn21.dll

========== LOP Check ==========

[2008/04/20 15:48:53 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2009/10/22 16:46:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Network Associates
[2009/11/30 15:38:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SafeNet Sentinel
[2010/05/30 13:35:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/01/02 00:35:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Amazon
[2008/11/22 01:31:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Blackberry Desktop
[2010/08/28 09:10:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Canon
[2009/05/20 18:13:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\com.nyt.timesreader.78C54164786ADE80CB31E1C5D95607D0938C987A.1
[2010/06/22 11:26:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\ICAClient
[2008/07/14 16:27:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\InterVideo
[2009/05/24 14:39:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Leadertech
[2010/06/01 14:39:42 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\org.gapminder.desktop.434684C0EEE0B6011903D7CB9F42374B4E5823E7.1
[2008/11/22 01:18:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Research In Motion
[2010/02/08 15:12:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\TweetDeckFast.FFF259DC0CE2657847BBB4AFF0E62062EFC56543.1
[2011/01/18 16:03:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\webex
[2009/05/26 15:50:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Windows Desktop Search
[2009/05/26 17:06:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Windows Search
[2009/05/05 15:38:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\khaller\Application Data\Xerox
[2011/05/18 20:17:40 | 000,000,298 | ---- | M] () -- C:\WINDOWS\Tasks\PMTask.job

========== Purity Check ==========

< End of report >

#8
krhaller

Posted 18 May 2011 - 08:23 PM

Member

Topic Starter
Member
29 posts

Here's the result of the full GMER scan. Let me know if there's anything else that needs to be done.

Thanks again,

-Karl
____________________

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-18 22:21:28
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HITACHI_HTS541616J9SA00 rev.SB4IC7UP
Running: gmer.exe; Driver: C:\DOCUME~1\khaller\LOCALS~1\Temp\kgrdapoc.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0xB9D93238]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xB9D930F6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0xB9D93090]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB9D930A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xB9D9310A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB9D93136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB9D931A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB9D9318E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwLoadKey2 [0xB9D931BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB9D93278]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB9D931E6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xB9D930E2]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xB9D93054]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xB9D93068]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB9D9324C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryKey [0xB9D93222]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB9D93178]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB9D93162]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xB9D93120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwReplaceKey [0xB9D9320E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRestoreKey [0xB9D931FA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0xB9D930CE]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB9D930BA]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xB9D9314C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB9D932A7]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnloadKey [0xB9D931D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB9D9328E]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xB9D93262]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80503DBC 7 Bytes JMP B9D93266 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80577E5E 5 Bytes JMP B9D9323C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B09CE 7 Bytes JMP B9D9327C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B17DC 5 Bytes JMP B9D93292 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B6DA2 7 Bytes JMP B9D93250 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C9C46 5 Bytes JMP B9D93058 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C9ED2 5 Bytes JMP B9D9306C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CC690 5 Bytes JMP B9D930BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805CF966 7 Bytes JMP B9D930A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805CFA1C 5 Bytes JMP B9D93094 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805CFF26 5 Bytes JMP B9D930D2 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D1170 5 Bytes JMP B9D932AB mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80620102 7 Bytes JMP B9D93166 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 80620450 5 Bytes JMP B9D931FE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80620708 7 Bytes JMP B9D93150 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 806209D0 7 Bytes JMP B9D931D4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80621216 7 Bytes JMP B9D9317C mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80621A6E 7 Bytes JMP B9D93124 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 80622048 5 Bytes JMP B9D930FA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 806224D8 7 Bytes JMP B9D9310E mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 806226A8 7 Bytes JMP B9D9313A mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80622888 7 Bytes JMP B9D931A8 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 80622AF2 7 Bytes JMP B9D93192 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 806233DE 5 Bytes JMP B9D930E6 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80623702 7 Bytes JMP B9D93226 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwLoadKey2 806239C2 7 Bytes JMP B9D931BE mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 80623C28 5 Bytes JMP B9D93212 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80623D42 5 Bytes JMP B9D931EA mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01880000
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 01880F3A
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 01880F4B
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01880F66
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01880F83
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01880FAF
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 01880F15
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 0188005B
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 0188009D
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01880F04
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 018800AE
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 01880F94
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 01880FE5
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 0188004A
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 0188001B
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 01880FD4
.text C:\WINDOWS\System32\svchost.exe[304] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 01880082
.text C:\WINDOWS\System32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 01870FC3
.text C:\WINDOWS\System32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 01870080
.text C:\WINDOWS\System32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 01870FDE
.text C:\WINDOWS\System32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 01870FEF
.text C:\WINDOWS\System32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 01870065
.text C:\WINDOWS\System32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 0187004A
.text C:\WINDOWS\System32\svchost.exe[304] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 01870000
.text C:\WINDOWS\System32\svchost.exe[304] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 0187002F
.text C:\WINDOWS\System32\svchost.exe[304] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01860053
.text C:\WINDOWS\System32\svchost.exe[304] msvcrt.dll!system 77C293C7 5 Bytes JMP 01860FC8
.text C:\WINDOWS\System32\svchost.exe[304] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0186001D
.text C:\WINDOWS\System32\svchost.exe[304] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0186000C
.text C:\WINDOWS\System32\svchost.exe[304] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0186002E
.text C:\WINDOWS\System32\svchost.exe[304] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01860FEF
.text C:\WINDOWS\System32\svchost.exe[304] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 01140FEF
.text C:\WINDOWS\System32\svchost.exe[304] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 01850FE5
.text C:\WINDOWS\System32\svchost.exe[304] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 01850000
.text C:\WINDOWS\System32\svchost.exe[304] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 01850FD4
.text C:\WINDOWS\System32\svchost.exe[304] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 01850FA3
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 001A0000
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 001A0F92
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 001A0087
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 001A006C
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 001A00BF
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 001A00A2
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 001A00F5
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 001A00E4
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 001A0106
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 001A005B
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 001A0F77
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 001A0040
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[400] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 001A0F5C
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00280058
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!system 77C293C7 5 Bytes JMP 0028003D
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00280011
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00280FEF
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0028002C
.text C:\WINDOWS\Explorer.EXE[400] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00280000
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00290036
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00290F83
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00290FE5
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00290011
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00290F9E
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[400] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00290FCA
.text C:\WINDOWS\Explorer.EXE[400] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[400] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 002B002C
.text C:\WINDOWS\Explorer.EXE[400] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 002B001B
.text C:\WINDOWS\Explorer.EXE[400] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 002B0FD9
.text C:\WINDOWS\Explorer.EXE[400] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00F50FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00BC0FEF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00BC00A2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00BC0091
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00BC0076
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00BC0065
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00BC0FC3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00BC0F7C
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00BC00CE
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00BC010E
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00BC00F3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00BC0F5A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00BC004A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00BC0FD4
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00BC00BD
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00BC0025
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00BC000A
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00BC0F6B
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA0042
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FB7
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0027
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0FD2
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0FE3
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00BB0FCA
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00BB0062
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00BB0011
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00BB0000
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00BB0051
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00BB0FAF
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00BB0FE5
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00BB0036
.text C:\Program Files\McAfee\Common Framework\naPrdMgr.exe[508] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 009A0F92
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 009A007D
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 009A006C
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 009A0051
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 009A0FC0
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 009A00BD
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 009A0F75
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 009A0F49
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 009A00E2
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 009A0F38
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 009A0FAF
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 009A0FDB
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 009A00A2
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 009A002C
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 009A0F64
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00990025
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00990F97
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00990014
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00990FDE
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00990FA8
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00990040
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00990FB9
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00980F89
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!system 77C293C7 5 Bytes JMP 00980F9A
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00980FBC
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00980FAB
.text C:\WINDOWS\system32\svchost.exe[552] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00980FD7
.text C:\WINDOWS\system32\svchost.exe[552] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008B0FEF
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008B0F80
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008B0FA5
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008B0073
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008B0062
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008B0036
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008B0090
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008B0F48
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008B0F12
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008B0F23
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 008B0F01
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 008B0047
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 008B000A
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 008B0F6F
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 008B0025
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 008B0FD4
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 008B00A1
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008A000A
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008A0065
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008A0FB9
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008A0FD4
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008A0040
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008A0025
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008A0FEF
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008A0F9E
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 007C0FCF
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!system 77C293C7 5 Bytes JMP 007C0050
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 007C002E
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 007C003F
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 007C001D
.text C:\WINDOWS\system32\svchost.exe[832] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\svchost.exe[832] WININET.dll!InternetOpenA 771C6D2A 5 Bytes JMP 00710FEF
.text C:\WINDOWS\system32\svchost.exe[832] WININET.dll!InternetOpenUrlA 771C6FDD 5 Bytes JMP 0071001B
.text C:\WINDOWS\system32\svchost.exe[832] WININET.dll!InternetOpenW 771D6CF3 5 Bytes JMP 0071000A
.text C:\WINDOWS\system32\svchost.exe[832] WININET.dll!InternetOpenUrlW 771D7304 5 Bytes JMP 00710FD4
.text C:\WINDOWS\system32\SearchIndexer.exe[972] kernel32.dll!WriteFile 7C810F9F 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006E0F5E
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006E0F6F
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006E0053
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006E0036
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006E001B
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006E0F37
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006E007F
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006E009A
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006E0F01
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 006E00AB
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 006E0F94
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 006E006E
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\System32\svchost.exe[1056] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 006E0F26
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006D001B
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006D0F9E
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006D005B
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006D0FAF
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006D0036
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0FB9
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0FCA
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0029
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C000C
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C0044
.text C:\WINDOWS\System32\svchost.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[1056] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B0000
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 006E0F94
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 006E0089
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 006E0FA5
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 006E0062
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 006E0036
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 006E0F72
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 006E00BA
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 006E00F0
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 006E00DF
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 006E0101
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 006E0047
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 006E0FEF
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 006E0F83
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 006E001B
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 006E0FCA
.text C:\WINDOWS\System32\svchost.exe[1096] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 006E0F61
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 006D0FD4
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 006D004A
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 006D0025
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 006D000A
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 006D0F8D
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 006D0FA8
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 006D0FEF
.text C:\WINDOWS\System32\svchost.exe[1096] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 006D0FB9
.text C:\WINDOWS\System32\svchost.exe[1096] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006C0049
.text C:\WINDOWS\System32\svchost.exe[1096] msvcrt.dll!system 77C293C7 5 Bytes JMP 006C0038
.text C:\WINDOWS\System32\svchost.exe[1096] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006C0FC8
.text C:\WINDOWS\System32\svchost.exe[1096] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006C000C
.text C:\WINDOWS\System32\svchost.exe[1096] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006C001D
.text C:\WINDOWS\System32\svchost.exe[1096] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006C0FE3
.text C:\WINDOWS\System32\svchost.exe[1096] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 006B0000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 027A0FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 027A0098
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 027A007D
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 027A006C
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 027A0051
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 027A0FAF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 027A0F63
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 027A00A9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 027A00E1
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 027A0F48
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 027A0106
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 027A0040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 027A000A
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 027A0F88
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 027A0025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 027A0FD4
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 027A00C6
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02780FC8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 02780FD9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0278002E
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02780000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02780049
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02780011
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 02790FEF
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 02790065
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 02790040
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 02790025
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 02790FA8
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 02790FB9
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 02790000
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 02790FDE
.text C:\Program Files\McAfee\Common Framework\FrameworkService.exe[1524] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 0277000A
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00D90FEF
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00D90060
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00D90F61
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00D90F7C
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00D9002F
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00D90F97
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00D90F3F
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00D90087
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00D900A9
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00D90098
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00D900C4
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00D9001E
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00D90FCA
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00D90F50
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00D90FA8
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00D90FB9
.text C:\WINDOWS\system32\services.exe[1624] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00D90F24
.text C:\WINDOWS\system32\services.exe[1624] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A1005D
.text C:\WINDOWS\system32\services.exe[1624] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A10042
.text C:\WINDOWS\system32\services.exe[1624] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A10027
.text C:\WINDOWS\system32\services.exe[1624] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\services.exe[1624] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A10FD2
.text C:\WINDOWS\system32\services.exe[1624] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A10FE3
.text C:\WINDOWS\system32\services.exe[1624] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\services.exe[1624] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A200A2
.text C:\WINDOWS\system32\services.exe[1624] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\services.exe[1624] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A2001B
.text C:\WINDOWS\system32\services.exe[1624] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A20091
.text C:\WINDOWS\system32\services.exe[1624] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A20080
.text C:\WINDOWS\system32\services.exe[1624] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A20000
.text C:\WINDOWS\system32\services.exe[1624] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A2005B
.text C:\WINDOWS\system32\services.exe[1624] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00FE0000
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00FE0045
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00FE0F50
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00FE0F61
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00FE0F72
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00FE0F9E
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00FE0F1F
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00FE0067
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00FE008C
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00FE0EF3
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00FE009D
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00FE0F83
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00FE0FDB
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00FE0056
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00FE0FAF
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00FE0FC0
.text C:\WINDOWS\system32\lsass.exe[1636] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00FE0F0E
.text C:\WINDOWS\system32\lsass.exe[1636] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00E1002F
.text C:\WINDOWS\system32\lsass.exe[1636] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00E10080
.text C:\WINDOWS\system32\lsass.exe[1636] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00E10FD4
.text C:\WINDOWS\system32\lsass.exe[1636] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00E10FE5
.text C:\WINDOWS\system32\lsass.exe[1636] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00E10065
.text C:\WINDOWS\system32\lsass.exe[1636] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00E1004A
.text C:\WINDOWS\system32\lsass.exe[1636] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00E10000
.text C:\WINDOWS\system32\lsass.exe[1636] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00E10FC3
.text C:\WINDOWS\system32\lsass.exe[1636] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DB0FA8
.text C:\WINDOWS\system32\lsass.exe[1636] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DB0FCD
.text C:\WINDOWS\system32\lsass.exe[1636] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DB0FEF
.text C:\WINDOWS\system32\lsass.exe[1636] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\lsass.exe[1636] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DB0FDE
.text C:\WINDOWS\system32\lsass.exe[1636] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DB001D
.text C:\WINDOWS\system32\lsass.exe[1636] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 008F008A
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 008F0F8B
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 008F0F9C
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 008F0065
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 008F0FC3
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 008F00D3
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 008F00C2
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 008F00EE
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 008F0F55
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 008F00FF
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 008F004A
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 008F00A5
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 008F0FD4
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 008F0025
.text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 008F0F70
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 008E001B
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 008E0F94
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 008E000A
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 008E0FDE
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 008E0047
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 008E0036
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 008E0FEF
.text C:\WINDOWS\system32\svchost.exe[1752] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 008E0FA5
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008D0FA8
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!system 77C293C7 5 Bytes JMP 008D0033
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008D0022
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008D0000
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008D0FC3
.text C:\WINDOWS\system32\svchost.exe[1752] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008D0011
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DF0FEF
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00DF0F54
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00DF0049
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DF002C
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DF001B
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00DF0F8D
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00DF008B
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00DF0064
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DF00C8
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DF00AD
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00DF0F14
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00DF000A
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00DF0FDE
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00DF0F43
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00DF0FA8
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00DF0FC3
.text C:\WINDOWS\system32\svchost.exe[1864] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00DF009C
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00DE000A
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00DE0F72
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00DE0FB9
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00DE0FD4
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00DE0F83
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00DE0025
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\svchost.exe[1864] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00DE0F9E
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40FB7
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40042
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40016
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40FE3
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40027
.text C:\WINDOWS\system32\svchost.exe[1864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40FD2
.text C:\WINDOWS\system32\svchost.exe[1864] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00A20FE5
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!VirtualProtectEx 7C801A5D 5 Bytes JMP 00A20076
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00A2005B
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00A20F81
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00A2004A
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00A20FB9
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!GetStartupInfoW 7C801E50 5 Bytes JMP 00A20F38
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!GetStartupInfoA 7C801EEE 5 Bytes JMP 00A20F49
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00A200C0
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00A20F27
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!GetProcAddress 7C80AC28 5 Bytes JMP 00A20F0C
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!LoadLibraryW 7C80ACD3 5 Bytes JMP 00A20FA8
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateFileW 7C810976 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreatePipe 7C81DD9A 5 Bytes JMP 00A20F66
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateNamedPipeW 7C82631D 5 Bytes JMP 00A20FD4
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!CreateNamedPipeA 7C85FA54 5 Bytes JMP 00A2001B
.text C:\WINDOWS\system32\svchost.exe[1932] kernel32.dll!WinExec 7C86114D 5 Bytes JMP 00A200A5
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExW 77DD6A78 5 Bytes JMP 00A10040
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExW 77DD7535 5 Bytes JMP 00A10087
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyExA 77DD761B 5 Bytes JMP 00A10025
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyW 77DD770F 5 Bytes JMP 00A1000A
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyExA 77DDEAF4 5 Bytes JMP 00A10076
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyW 77DF8F7D 5 Bytes JMP 00A10065
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegOpenKeyA 77DFC41B 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1932] ADVAPI32.dll!RegCreateKeyA 77DFD5BB 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00047
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00FBC
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A00011
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00FE3
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A0002C
.text C:\WINDOWS\system32\svchost.exe[1932] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00000
.text C:\WINDOWS\system32\svchost.exe[1932] WS2_32.dll!socket 71AB3B91 5 Bytes JMP 009F0FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[1008] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00405941] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdik.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

#9
michaelg9

Posted 19 May 2011 - 05:48 AM

Trusted Helper

Malware Removal
2,949 posts

Hello,

Can you tell me what symptoms your computer has? Like search engine redirects??
Also you have retailbrandalliance as home page and domain server. Are these your desired settings?

Next:

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

#10
krhaller

Posted 19 May 2011 - 10:43 AM

Member

Topic Starter
Member
29 posts

Thanks.

I'm not currently having any noticable symptoms, but was having a fair number of page redirects, both upon launching Firefox and when doing searches. Here are the ones where i grabbed the URL. These all occurred on May 13-15.

Yes, retailbrandalliance is my preferred homepage. Thanks. I will run TDSSKiller and post the results. I may not be able to get to it until late afternoon or this evening.

Thanks again,

-Karl

Edited by michaelg9, 19 May 2011 - 01:08 PM.
removed due to safety reasons

#11
krhaller

Posted 19 May 2011 - 06:59 PM

Member

Topic Starter
Member
29 posts

I ran TDSS. Nothing was found. Here's the log.

Thanks.

-Karl
________________

2011/05/19 20:57:09.0609 5724 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/19 20:57:10.0062 5724 ================================================================================
2011/05/19 20:57:10.0062 5724 SystemInfo:
2011/05/19 20:57:10.0062 5724
2011/05/19 20:57:10.0062 5724 OS Version: 5.1.2600 ServicePack: 2.0
2011/05/19 20:57:10.0062 5724 Product type: Workstation
2011/05/19 20:57:10.0062 5724 ComputerName: KHALLERXP1-346
2011/05/19 20:57:10.0062 5724 UserName: khaller
2011/05/19 20:57:10.0062 5724 Windows directory: C:\WINDOWS
2011/05/19 20:57:10.0062 5724 System windows directory: C:\WINDOWS
2011/05/19 20:57:10.0062 5724 Processor architecture: Intel x86
2011/05/19 20:57:10.0062 5724 Number of processors: 2
2011/05/19 20:57:10.0062 5724 Page size: 0x1000
2011/05/19 20:57:10.0062 5724 Boot type: Normal boot
2011/05/19 20:57:10.0062 5724 ================================================================================
2011/05/19 20:57:10.0671 5724 Initialize success
2011/05/19 20:57:15.0812 0660 ================================================================================
2011/05/19 20:57:15.0812 0660 Scan started
2011/05/19 20:57:15.0812 0660 Mode: Manual;
2011/05/19 20:57:15.0812 0660 ================================================================================
2011/05/19 20:57:17.0437 0660 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/19 20:57:17.0468 0660 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/05/19 20:57:17.0843 0660 ADIHdAudAddService (d537f3d03c6301fefa21f3eee8cc82d8) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2011/05/19 20:57:17.0968 0660 AEAudio (860df7676869cd8690cb2b23ab6de66a) C:\WINDOWS\system32\drivers\AEAudio.sys
2011/05/19 20:57:18.0015 0660 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
2011/05/19 20:57:18.0078 0660 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/05/19 20:57:18.0265 0660 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2011/05/19 20:57:18.0437 0660 AR5211 (275521a350a6f770fea954d5b8b2d35b) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2011/05/19 20:57:18.0562 0660 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/19 20:57:19.0031 0660 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/19 20:57:19.0078 0660 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/19 20:57:19.0140 0660 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/19 20:57:19.0203 0660 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/19 20:57:19.0281 0660 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/19 20:57:19.0359 0660 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
2011/05/19 20:57:19.0484 0660 btaudio (3aa4bf555c00c5b87fd48dd7bdbd4e97) C:\WINDOWS\system32\drivers\btaudio.sys
2011/05/19 20:57:19.0687 0660 BTDriver (07f0a66cfa550b13ad0674ae09e3cba0) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/05/19 20:57:19.0828 0660 BTKRNL (9da09b5800b9de8336948664e3b9cc94) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/05/19 20:57:20.0046 0660 BTWDNDIS (b1d350f3f13cf340fce93912d2ba1ebf) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/05/19 20:57:20.0156 0660 BTWUSB (57e91e9925976bbc98984eebaaf1d84c) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/05/19 20:57:20.0484 0660 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/19 20:57:20.0515 0660 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/19 20:57:20.0578 0660 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/19 20:57:20.0640 0660 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/19 20:57:20.0687 0660 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/19 20:57:20.0828 0660 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/05/19 20:57:20.0890 0660 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/05/19 20:57:20.0968 0660 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/05/19 20:57:21.0093 0660 CVPNDRVA (8a15d7bd4cf1a8ccd7c65f7349f22e35) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2011/05/19 20:57:21.0296 0660 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/19 20:57:21.0343 0660 DLABOIOM (35cbc02546335ea41a5d516da6626c8a) C:\WINDOWS\system32\DLA\DLABOIOM.SYS
2011/05/19 20:57:21.0437 0660 DLACDBHM (ec6ae8bc9f773382d2eed49e4dfdae2a) C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
2011/05/19 20:57:21.0625 0660 DLADResN (19e3db16de2bb3db81b172a78d140b03) C:\WINDOWS\system32\DLA\DLADResN.SYS
2011/05/19 20:57:21.0687 0660 DLAIFS_M (e4859ca5bd8412a9a60d62067a653522) C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
2011/05/19 20:57:21.0765 0660 DLAOPIOM (20c24a3d1cf0825487c93f806625805e) C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
2011/05/19 20:57:21.0812 0660 DLAPoolM (8a530da5dc81954bcf1966813f699b49) C:\WINDOWS\system32\DLA\DLAPoolM.SYS
2011/05/19 20:57:21.0906 0660 DLARTL_N (0605b66052f82b6f07204dbdb61c13ff) C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
2011/05/19 20:57:22.0093 0660 DLAUDFAM (7eda68af6a91bf64af6f301e39928ebf) C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
2011/05/19 20:57:22.0171 0660 DLAUDF_M (a18423bbc6d92b01fdf3c51e7510ee70) C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
2011/05/19 20:57:22.0421 0660 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/19 20:57:23.0109 0660 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/19 20:57:23.0171 0660 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/19 20:57:23.0234 0660 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/19 20:57:23.0296 0660 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/05/19 20:57:23.0765 0660 Dot4 (ad7fc1963b152b3728e3c4f83554a576) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2011/05/19 20:57:23.0890 0660 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2011/05/19 20:57:23.0953 0660 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2011/05/19 20:57:24.0031 0660 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/19 20:57:24.0093 0660 DRVMCDB (48c7008d23dcfce0d0232f49307efced) C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
2011/05/19 20:57:24.0281 0660 DRVNDDM (05467e44a42c777dd1534bb4539b16d1) C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
2011/05/19 20:57:24.0406 0660 e1express (27f19c1cd70ebe00817c1eefc5239de1) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
2011/05/19 20:57:24.0828 0660 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/19 20:57:24.0859 0660 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/19 20:57:24.0875 0660 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/19 20:57:24.0890 0660 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/19 20:57:24.0953 0660 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/19 20:57:25.0000 0660 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/19 20:57:25.0062 0660 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/19 20:57:25.0140 0660 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/19 20:57:25.0234 0660 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/19 20:57:25.0296 0660 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/19 20:57:25.0359 0660 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/19 20:57:25.0781 0660 HSFHWAZL (6a5c4732d6803f84e2987edd8e4359ce) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/05/19 20:57:25.0921 0660 HSF_DPV (21c31273c6cc4826e74be8ae3b09d4a8) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/05/19 20:57:26.0093 0660 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/19 20:57:26.0265 0660 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/19 20:57:26.0562 0660 ialm (06b71441957b48a4866de2fe27cb79c8) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/05/19 20:57:26.0984 0660 IBMPMDRV (bf648877413f6160e480814a24942b65) C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
2011/05/19 20:57:27.0078 0660 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/19 20:57:27.0171 0660 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/19 20:57:27.0203 0660 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/19 20:57:27.0250 0660 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/19 20:57:27.0359 0660 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/19 20:57:27.0406 0660 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/19 20:57:27.0468 0660 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/19 20:57:27.0531 0660 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/19 20:57:27.0578 0660 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/19 20:57:27.0593 0660 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/19 20:57:27.0718 0660 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/19 20:57:27.0781 0660 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/19 20:57:27.0812 0660 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/19 20:57:27.0890 0660 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/05/19 20:57:27.0968 0660 mfeapfk (1619082b1d7f731b11449f48e91cc84c) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/05/19 20:57:28.0046 0660 mfeavfk (1fae237d343904e24b3a9eb04bbd8170) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/05/19 20:57:28.0078 0660 mfebopk (8c324da46f9fcc5c107ceda4dbcfc7ae) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/05/19 20:57:28.0125 0660 mfehidk (d0123e113243bdd427611f265bbd21b8) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/05/19 20:57:28.0203 0660 mferkdet (d528f31cad4411d3ae3ce0c634232851) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/05/19 20:57:28.0250 0660 mfetdik (28a2f3c4ca8c2063087c9fcd963586c0) C:\WINDOWS\system32\drivers\mfetdik.sys
2011/05/19 20:57:28.0375 0660 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/19 20:57:28.0484 0660 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/19 20:57:28.0546 0660 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/19 20:57:28.0609 0660 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/19 20:57:28.0671 0660 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/19 20:57:28.0703 0660 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/19 20:57:28.0734 0660 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/19 20:57:28.0843 0660 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/19 20:57:28.0890 0660 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/19 20:57:28.0906 0660 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/19 20:57:28.0937 0660 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/19 20:57:28.0984 0660 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/19 20:57:29.0031 0660 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/19 20:57:29.0140 0660 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/19 20:57:29.0187 0660 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/19 20:57:29.0250 0660 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/19 20:57:29.0312 0660 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/19 20:57:29.0359 0660 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/19 20:57:29.0484 0660 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/19 20:57:29.0515 0660 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/19 20:57:29.0562 0660 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/19 20:57:29.0578 0660 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/19 20:57:29.0625 0660 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/19 20:57:29.0703 0660 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/19 20:57:29.0718 0660 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/19 20:57:29.0796 0660 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/19 20:57:29.0921 0660 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/19 20:57:29.0968 0660 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/19 20:57:30.0000 0660 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/19 20:57:30.0046 0660 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/19 20:57:30.0093 0660 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/19 20:57:30.0109 0660 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/19 20:57:30.0312 0660 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/19 20:57:30.0328 0660 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/19 20:57:30.0375 0660 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/19 20:57:30.0390 0660 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/05/19 20:57:30.0546 0660 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/19 20:57:30.0640 0660 prepdrvr (2a4514a9233d35a355f569ff8b8f6240) C:\WINDOWS\system32\CCM\prepdrv.sys
2011/05/19 20:57:30.0828 0660 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/19 20:57:30.0859 0660 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/19 20:57:30.0953 0660 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/19 20:57:31.0156 0660 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/19 20:57:31.0250 0660 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/19 20:57:31.0265 0660 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/19 20:57:31.0296 0660 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/19 20:57:31.0406 0660 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/19 20:57:31.0421 0660 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/19 20:57:31.0484 0660 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/19 20:57:31.0562 0660 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/19 20:57:31.0687 0660 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/19 20:57:31.0750 0660 RimUsb (0f6756ef8bda6dfa7be50465c83132bb) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/05/19 20:57:31.0890 0660 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/05/19 20:57:32.0046 0660 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/05/19 20:57:32.0140 0660 s24trans (f275ee6061e444caa7137aefb2c27a03) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/05/19 20:57:32.0328 0660 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/19 20:57:32.0781 0660 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/19 20:57:33.0203 0660 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/19 20:57:33.0921 0660 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/19 20:57:34.0046 0660 Shockprf (e22ef09693396bfeda7edc47b6c16e26) C:\WINDOWS\system32\DRIVERS\Apsx86.sys
2011/05/19 20:57:34.0171 0660 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/19 20:57:34.0234 0660 smsmdd (4b4ab78e866bbecf93f6eabc3270178a) C:\WINDOWS\system32\DRIVERS\smsmdm.sys
2011/05/19 20:57:34.0734 0660 SNP2UVC (537cd54295cdbcc4dcffe95e234387ae) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
2011/05/19 20:57:35.0390 0660 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/19 20:57:35.0468 0660 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/19 20:57:35.0515 0660 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/19 20:57:35.0578 0660 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/19 20:57:35.0640 0660 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/19 20:57:35.0750 0660 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/19 20:57:35.0937 0660 SynTP (ba44ecf2cba1c6cc15cd08742d9d4684) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/05/19 20:57:36.0109 0660 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/19 20:57:36.0171 0660 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/19 20:57:36.0296 0660 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/19 20:57:36.0343 0660 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/19 20:57:36.0406 0660 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/19 20:57:36.0500 0660 TPDIGIMN (a44928f04032d49a6c2e151f869fb152) C:\WINDOWS\system32\DRIVERS\ApsHM86.sys
2011/05/19 20:57:36.0593 0660 TPHKDRV (542770c8925e13b29b1ba63f05898058) C:\WINDOWS\system32\DRIVERS\TPHKDRV.sys
2011/05/19 20:57:36.0750 0660 TPPWRIF (44672de6cea9569c21c4b7a8d2560750) C:\WINDOWS\system32\drivers\Tppwrif.sys
2011/05/19 20:57:36.0875 0660 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/19 20:57:36.0968 0660 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/19 20:57:37.0015 0660 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/19 20:57:37.0234 0660 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/19 20:57:37.0281 0660 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/19 20:57:37.0343 0660 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/19 20:57:37.0375 0660 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/19 20:57:37.0406 0660 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/19 20:57:37.0453 0660 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/19 20:57:37.0484 0660 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/19 20:57:37.0593 0660 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/19 20:57:37.0656 0660 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/05/19 20:57:37.0734 0660 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/05/19 20:57:37.0781 0660 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/19 20:57:37.0843 0660 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
2011/05/19 20:57:38.0046 0660 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/19 20:57:38.0125 0660 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/05/19 20:57:38.0312 0660 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/19 20:57:38.0468 0660 winachsf (307d248f97835b6879bdd361086924fe) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/05/19 20:57:38.0640 0660 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/05/19 20:57:38.0718 0660 WSIMD (2691329aa67863c2e80e63f1d9802947) C:\WINDOWS\system32\DRIVERS\wsimd.sys
2011/05/19 20:57:38.0890 0660 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/19 20:57:38.0968 0660 ================================================================================
2011/05/19 20:57:38.0968 0660 Scan finished
2011/05/19 20:57:38.0968 0660 ================================================================================

#12
michaelg9

Posted 20 May 2011 - 01:14 AM

Trusted Helper

Malware Removal
2,949 posts

Hello,

Your logs are starting to look good.

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL

:Services

:Reg

:Files
c:\windows\Grutijosifaduju.bin

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again.
Under Extra Registry select Use Whitelist.
lick the Run Scan button. Post the two logs it produces in your next reply.

Next:
Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next:

Please make another scan with your antivirus, and see if it detects anything. Post the log here.

Next:
Please tell me if your computer now has any problems and how it's running.

#13
krhaller

Posted 20 May 2011 - 06:54 PM

Member

Topic Starter
Member
29 posts

Here's the result from OTL. I'm running MBAM now.

-Karl
________________

All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File\Folder c:\windows\Grutijosifaduju.bin not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: fmagrat
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: khaller
->Temp folder emptied: 287644 bytes
->Temporary Internet Files folder emptied: 1235543 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 115368396 bytes
->Flash cache emptied: 1698 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 17048 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 112.00 mb

[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: fmagrat

User: khaller
->Flash cache emptied: 0 bytes

User: LocalService

User: NetworkService
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 05202011_204613

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#14
krhaller

Posted 20 May 2011 - 07:04 PM

Member

Topic Starter
Member
29 posts

Here's the MBAM log. I will run McAfee next.

-Karl

_________________

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6621

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/20/2011 9:03:55 PM
mbam-log-2011-05-20 (21-03-55).txt

Scan type: Quick scan
Objects scanned: 175909
Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15
michaelg9

Posted 21 May 2011 - 02:57 AM

Trusted Helper

Malware Removal
2,949 posts

Hello,

I want 2 new OTL logs, OTL.txt and Extras.txt. Do this:

Open OTL again.
Under Extra Registry select Use Whitelist.
Click the Run Scan button. Post the two logs it produces in your next reply.