Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Lap top had fake alert. Did eset and removed 2 things. need to know if

Started by karonita , May 16 2011 04:23 PM

This topic is locked

#1
karonita

Posted 16 May 2011 - 04:23 PM

Member

Member
50 posts

Hi. I clicked on a google image the other day and next thing I knew the fake microsoft symbal showed up and started the counting of the malware that I have on my system. I knew what that was so did superantispy and eset. found Win32/Injector.GIX trojan, and Win32/OpenCandy application. Neither I have heard of before. I also did a gmer after that that came up o of any malware. Need to know if its clean. I use this computer for the more important things. Here is my hj report. I also have another one open waiting now 5 days for my desktop which is also infected with somethinng.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:11:39 PM, on 5/16/2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8080.16413)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Users\karoni\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.facebook.com/login
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...SARIO&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110515185540.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O15 - Trusted Zone: *.combofix.exe
O15 - Trusted Zone: http://www.infospyware.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Personal Firewall Service (McMPFSvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee VirusScan Announcer (McNaiAnn) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: McShield - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Firewall Core Service (mfefire) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - McAfee, Inc. - C:\Windows\system32\mfevtps.exe
O23 - Service: McAfee Online Backup (MOBKbackup) - McAfee, Inc. - C:\Program Files\McAfee Online Backup\MOBKbackup.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 6660 bytes

#2
michaelg9

Posted 12 July 2011 - 07:16 AM

Trusted Helper

Malware Removal
2,949 posts

. My name is Michael and I am here to help you fix your computer. :yes:

Note: Before we start the process you should:

POST your logs, don't attach them, as it makes it harder to read. Also please don't edit any log in any case
Disable ANY programs that offer real-time protection features while executing my instructions. That includes your antivirus, antispyware, windows defender or any other program that offers protection. When you're clean or waiting for my next set of instructions, re-enable them .If you need any help disabling them, ask.
Last, as most of the tools we use here need administrative rights in order to function properly, I expect that you will be running them from an administrator account.

Sorry for the late reply. You can't have two open topics for help simultaneously, so I'm going to close the other one and we'll clean both computers here

Let's start from the one you ran Hijack this and posted this log. When we finish with that one, we're going fix the other computer

Posted Image

OTL Custom Scan

Download OTL to your Desktop
Double click on the icon to run it.
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top, make sure Stadard output is selected.
Select Scan all users
Check the boxes beside LOP Check and Purity Check.
Under the Custom Scans/Fixes box copy and paste this in:

netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT
Click the button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open OTL.Txt in Notepad window.
Please copy (Edit->Select All, Edit->Copy) the content of this file and post it with your next reply.

Next:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#3
karonita

Posted 12 July 2011 - 04:53 PM

Member

Topic Starter
Member
50 posts

Thanks so much Michael. Actually, the one with the hijack this is the same computer. Just no one posted to help with first one so then when the virus reared its ugly head again, I reposted. Then when a week went by again, i looked to see what to do about it. It said after 3 days so figured I would post in the waiting room. Will get right to it. Thanks so much.

#4
michaelg9

Posted 12 July 2011 - 05:02 PM

Trusted Helper

Malware Removal
2,949 posts

I got a little confused :unsure:

So you are saying that only this computer is infected and needs to be fixed?

The logs posted are outdated, so that's why I need new ones

#5
karonita

Posted 12 July 2011 - 05:14 PM

Member

Topic Starter
Member
50 posts

OTL logfile created on: 7/12/2011 06:58:49 - Run 3
OTL by OldTimer - Version 3.2.26.0 Folder = C:\Users\karoni\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.62 Mb Total Physical Memory | 56.92 Mb Available Physical Memory | 11.13% Memory free
2.94 Gb Paging File | 1.92 Gb Available in Paging File | 65.18% Paging File free
Paging file location(s): c:\pagefile.sys 2500 2500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 87.62 Gb Total Space | 65.51 Gb Free Space | 74.77% Space Free | Partition Type: NTFS
Drive D: | 5.54 Gb Total Space | 1.05 Gb Free Space | 18.92% Space Free | Partition Type: NTFS
Drive F: | 29.91 Gb Total Space | 25.91 Gb Free Space | 86.62% Space Free | Partition Type: FAT32

Computer Name: KARONI-PC | User Name: karoni | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/05 23:04:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\karoni\Downloads\OTL.exe
PRC - [2011/06/15 16:26:14 | 000,784,000 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcupdate.exe
PRC - [2011/05/25 21:24:16 | 001,306,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/05/11 15:10:44 | 000,167,040 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2011/05/10 22:28:30 | 003,769,048 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2011/05/10 22:21:12 | 003,834,456 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDMonSvc.exe
PRC - [2011/05/10 22:18:34 | 003,585,696 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe
PRC - [2011/05/10 22:18:08 | 003,515,656 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2011/05/02 14:38:38 | 001,191,368 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 08:17:00 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2006/10/10 20:44:20 | 000,034,520 | ---- | M] (Hewlett Packard) -- C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe

========== Modules (SafeList) ==========

MOD - [2011/07/05 23:04:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\karoni\Downloads\OTL.exe
MOD - [2011/04/08 16:56:28 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/11/20 07:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (0275281310315314mcinstcleanup) McAfee Application Installer Cleanup (0275281310315314)
SRV - [2011/06/29 17:43:25 | 003,435,096 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_e477fed.dll -- (Akamai)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/05/11 15:10:44 | 000,167,040 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe -- (SDWSCService)
SRV - [2011/05/10 22:28:30 | 003,769,048 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe -- (SDUpdateService)
SRV - [2011/05/10 22:21:12 | 003,834,456 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDMonSvc.exe -- (SDMonitorService)
SRV - [2011/05/10 22:18:34 | 003,585,696 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe -- (SDFirewallService)
SRV - [2011/05/10 22:18:08 | 003,515,656 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe -- (SDScannerService)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/10/14 17:27:38 | 000,092,216 | ---- | M] (Hewlett-Packard Company) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe -- (HPDrvMntSvc.exe)
SRV - [2010/04/25 10:57:16 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/04/13 21:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Stopped] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2006/06/26 13:50:08 | 000,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr)
SRV - [2004/10/22 07:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)

========== Driver Services (SafeList) ==========

DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,163,400 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,064,648 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/04/13 21:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\System32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2010/02/25 00:02:30 | 000,015,544 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2009/11/04 16:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/07/22 07:42:58 | 000,051,200 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/03/04 02:32:00 | 000,188,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2007/07/10 06:27:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/02 10:43:50 | 000,145,920 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2006/06/28 13:57:00 | 000,008,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\eabfiltr.sys -- (eabfiltr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...SARIO&pf=laptop

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.facebook.com/login
IE - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.4: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\karoni\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\karoni\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/23 21:24:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/23 21:24:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/24 18:41:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Google\Web Accelerator\firefox [2011/06/23 18:39:43 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/23 21:24:27 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/23 21:24:28 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/24 18:41:36 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Google\Web Accelerator\firefox [2011/06/23 18:39:43 | 000,000,000 | ---D | M]

[2010/04/24 18:41:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\karoni\AppData\Roaming\Mozilla\Extensions
[2010/04/16 21:33:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\karoni\AppData\Roaming\Mozilla\Extensions\[email protected]

O1 HOSTS File: ([2011/07/11 18:32:52 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - File not found
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (&Google Web Accelerator Helper) - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110616185531.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Web Accelerator) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O15 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\..Trusted Domains: combofix.exe ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\..Trusted Domains: infospyware.net ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O24 - Desktop WallPaper: C:\Users\karoni\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\karoni\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 11:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O32 - AutoRun File - [2010/05/05 16:20:58 | 000,000,103 | ---- | M] () - F:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/07/12 18:10:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/07/11 19:43:59 | 000,000,000 | ---D | C] -- C:\Windows\TEMP
[2011/07/11 18:33:04 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/07/11 17:56:35 | 000,518,144 | R--- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/07/11 17:56:35 | 000,406,528 | R--- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/07/11 17:55:17 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/07/11 17:50:34 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/07/10 23:38:14 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Local\temp
[2011/07/04 12:30:29 | 000,056,400 | ---- | C] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/07/04 12:30:28 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/07/03 12:48:48 | 000,000,000 | ---D | C] -- C:\Users\karoni\FrostWire
[2011/07/03 11:06:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Disabled by AnVir)
[2011/07/03 10:39:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnVir Task Manager Free
[2011/07/03 10:39:02 | 000,000,000 | ---D | C] -- C:\Program Files\AnVir Task Manager Free
[2011/07/03 10:38:01 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Local\AnVir
[2011/07/02 13:53:31 | 000,870,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2011/07/02 13:53:27 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/07/02 13:53:24 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\prevhost.exe
[2011/07/02 13:51:29 | 000,027,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\Diskdump.sys
[2011/07/02 13:50:17 | 002,616,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\explorer.exe
[2011/07/02 13:49:56 | 001,401,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssrch.dll
[2011/07/02 13:49:55 | 001,549,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tquery.dll
[2011/07/02 13:49:52 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssph.dll
[2011/07/02 13:49:47 | 000,666,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssvp.dll
[2011/07/02 13:49:45 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssphtb.dll
[2011/07/02 13:49:43 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msscntrs.dll
[2011/06/28 19:28:12 | 000,000,000 | ---D | C] -- C:\Users\karoni\Desktop\log
[2011/06/24 18:14:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
[2011/06/24 18:14:13 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\Windows\System32\sdnclean.exe
[2011/06/24 18:13:35 | 000,770,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcr100.dll
[2011/06/24 18:13:35 | 000,421,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcp100.dll
[2011/06/24 18:08:52 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FrostWire
[2011/06/23 18:39:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Web Accelerator
[2011/06/23 18:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2011/06/23 18:23:35 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Roaming\SUPERAntiSpyware.com
[2011/06/23 18:23:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2011/06/23 18:23:10 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/06/23 18:19:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/23 18:19:12 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/23 18:19:12 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/23 18:19:12 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/23 18:18:37 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/06/20 20:34:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/06/20 20:34:37 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/06/17 18:07:33 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/17 18:07:31 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/06/17 18:07:31 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/06/17 18:07:30 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/06/17 18:05:50 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010/10/13 19:17:07 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\karoni\AppData\Roaming\pcouffin.sys
[2010/09/03 22:07:39 | 003,063,561 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\MobileTV.exe
[2010/09/03 22:07:39 | 002,989,660 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\DVD.exe
[2010/09/03 22:07:38 | 002,864,396 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\MPV.exe
[2010/09/03 22:07:38 | 002,331,174 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\Karaoke.exe
[2010/09/03 22:07:37 | 002,231,606 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\Games.exe

========== Files - Modified Within 30 Days ==========

[2011/07/12 18:44:20 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1643368254-1818270169-1135579119-1000Core.job
[2011/07/12 18:44:17 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1643368254-1818270169-1135579119-1000UA.job
[2011/07/12 18:00:02 | 000,000,446 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration3.job
[2011/07/12 17:56:58 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/12 17:56:58 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/12 17:41:31 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/07/12 17:41:26 | 402,350,080 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/11 22:51:22 | 162,372,208 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/07/11 22:36:18 | 000,000,606 | ---- | M] () -- C:\Users\karoni\Desktop\fsecuree
[2011/07/11 18:32:52 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/07/05 21:26:00 | 000,001,041 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\vso_ts_preview.xml
[2011/07/04 18:31:34 | 000,000,691 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\GetValue.vbs
[2011/07/04 18:31:34 | 000,000,035 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\SetValue.bat
[2011/07/04 12:30:29 | 000,056,400 | ---- | M] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/07/04 12:30:28 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/07/04 12:05:45 | 000,624,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/07/04 12:05:45 | 000,106,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/07/03 10:39:04 | 000,000,997 | ---- | M] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\AnVir Task Manager Free.lnk
[2011/07/03 10:39:03 | 000,001,039 | ---- | M] () -- C:\Users\Public\Desktop\AnVir Task Manager Free.lnk
[2011/07/02 17:35:22 | 000,389,408 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/06/30 17:54:24 | 000,012,660 | ---- | M] () -- C:\Users\karoni\Documents\cc_20110630_175401.reg
[2011/06/26 12:34:12 | 000,000,000 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\.googlewebacchosts
[2011/06/26 02:45:56 | 000,256,000 | ---- | M] () -- C:\Windows\PEV.exe
[2011/06/24 18:14:15 | 000,002,123 | ---- | M] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2011/06/24 18:08:53 | 000,001,203 | ---- | M] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.21.8.lnk
[2011/06/24 18:08:52 | 000,001,179 | ---- | M] () -- C:\Users\karoni\Desktop\FrostWire 4.21.8.lnk
[2011/06/23 18:39:44 | 000,001,181 | ---- | M] () -- C:\Users\karoni\Desktop\Google Web Accelerator.lnk
[2011/06/23 18:23:27 | 000,001,965 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/06/23 18:18:49 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/23 18:18:49 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/23 18:18:48 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/23 18:18:46 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/06/23 18:16:26 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/20 20:35:20 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk

========== Files Created - No Company Name ==========

[2011/07/11 22:36:18 | 000,000,606 | ---- | C] () -- C:\Users\karoni\Desktop\fsecuree
[2011/07/11 17:56:39 | 000,208,896 | R--- | C] () -- C:\Windows\MBR.exe
[2011/07/11 17:56:35 | 000,098,816 | R--- | C] () -- C:\Windows\sed.exe
[2011/07/11 17:56:35 | 000,080,412 | R--- | C] () -- C:\Windows\grep.exe
[2011/07/11 17:56:35 | 000,068,096 | R--- | C] () -- C:\Windows\zip.exe
[2011/07/04 18:31:34 | 000,000,035 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\SetValue.bat
[2011/07/04 18:31:33 | 000,000,691 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\GetValue.vbs
[2011/07/03 10:39:04 | 000,000,997 | ---- | C] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\AnVir Task Manager Free.lnk
[2011/07/03 10:39:02 | 000,001,039 | ---- | C] () -- C:\Users\Public\Desktop\AnVir Task Manager Free.lnk
[2011/06/30 17:54:17 | 000,012,660 | ---- | C] () -- C:\Users\karoni\Documents\cc_20110630_175401.reg
[2011/06/28 18:42:39 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/06/24 18:14:15 | 000,002,135 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2011/06/24 18:14:15 | 000,002,123 | ---- | C] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2011/06/24 18:08:53 | 000,001,203 | ---- | C] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.21.8.lnk
[2011/06/24 18:08:52 | 000,001,179 | ---- | C] () -- C:\Users\karoni\Desktop\FrostWire 4.21.8.lnk
[2011/06/23 18:45:14 | 000,000,000 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\.googlewebacchosts
[2011/06/23 18:39:44 | 000,001,181 | ---- | C] () -- C:\Users\karoni\Desktop\Google Web Accelerator.lnk
[2011/06/23 18:23:27 | 000,001,965 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/06/20 20:35:19 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/20 20:35:19 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/03/20 13:42:53 | 000,006,656 | ---- | C] () -- C:\Windows\System32\bcmwlrc.dll
[2010/12/22 21:22:02 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/11/09 21:50:41 | 000,000,017 | ---- | C] () -- C:\Users\karoni\AppData\Local\resmon.resmoncfg
[2010/10/13 19:17:07 | 000,007,887 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\pcouffin.cat
[2010/10/13 19:17:07 | 000,001,144 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\pcouffin.inf
[2010/10/10 18:19:03 | 000,001,041 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\vso_ts_preview.xml
[2010/10/10 11:22:41 | 000,000,039 | ---- | C] () -- C:\Windows\WININIT.INI
[2010/10/10 10:30:01 | 000,000,000 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\wklnhst.dat
[2010/04/24 19:18:07 | 000,000,279 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2010/04/24 18:48:38 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2010/04/17 17:01:27 | 000,000,000 | ---- | C] () -- C:\Windows\setup32.INI
[2010/02/12 23:21:31 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:33:53 | 000,389,408 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,624,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,106,522 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/06 07:02:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2006/09/19 03:02:40 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/19 03:02:40 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/03/09 16:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2004/09/16 16:24:26 | 003,375,104 | ---- | C] () -- C:\Windows\System32\qt-mt331.dll

========== LOP Check ==========

[2010/11/11 14:47:24 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\.minecraft
[2011/03/20 13:12:35 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\DriverCure
[2011/05/14 14:41:35 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\f-secure
[2011/07/05 21:27:10 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\FrostWire
[2010/10/10 17:55:20 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\ImgBurn
[2011/03/20 13:12:35 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\ParetoLogic
[2011/01/01 15:08:50 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\PhotoScape
[2010/10/13 19:55:37 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\playitall
[2010/10/11 18:34:22 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\Unity
[2011/07/05 21:26:02 | 000,000,000 | ---D | M] -- C:\Users\karoni\AppData\Roaming\Vso
[2011/07/12 18:00:02 | 000,000,446 | ---- | M] () -- C:\Windows\Tasks\ParetoLogic Registration3.job
[2011/03/20 13:56:20 | 000,000,420 | ---- | M] () -- C:\Windows\Tasks\ParetoLogic Update Version3.job
[2011/03/20 13:56:20 | 000,000,378 | ---- | M] () -- C:\Windows\Tasks\PC Health Advisor Defrag.job
[2011/03/20 13:56:20 | 000,000,360 | ---- | M] () -- C:\Windows\Tasks\PC Health Advisor.job
[2011/05/02 18:40:17 | 000,032,600 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >

< MD5 for: EXPLORER.EXE >
[2011/02/26 01:19:21 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=0FB9C74046656D1579A64660AD67B746 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.21669_none_54149f9ef14031fc\explorer.exe
[2009/07/13 21:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_518afd35db100430\explorer.exe
[2011/02/26 01:51:13 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=255CF508D7CFB10E0794D6AC93280BD8 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20910_none_525b5180f3f95373\explorer.exe
[2009/10/31 01:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_51a66d6ddafc2ed1\explorer.exe
[2011/02/26 01:33:07 | 002,614,784 | ---- | M] (Microsoft Corporation) MD5=2AF58D15EDC06EC6FDACCE1F19482BBF -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16768_none_51a3a583dafd0cef\explorer.exe
[2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=40D777B7A95E00593EB1568C68514493 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17514_none_53bc10fdd7fe87ca\explorer.exe
[2010/11/20 08:17:09 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\ERDNT\cache\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\explorer.exe
[2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) MD5=8B88EBBB05A0E56B7DCC708498C02B3E -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7601.17567_none_5389023fd8245f84\explorer.exe
[2009/08/03 01:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_526619d4f3f142e6\explorer.exe
[2011/05/11 16:02:08 | 005,945,944 | ---- | M] (Safer-Networking Ltd.) MD5=B302653D473E85E3FFCF100F12062EF9 -- C:\Program Files\Spybot - Search & Destroy 2\explorer.exe
[2009/08/03 01:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_51e07e31dad00878\explorer.exe
[2009/10/31 02:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\x86_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_52283b2af41f3691\explorer.exe

< MD5 for: SVCHOST.EXE >
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\ERDNT\cache\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\System32\svchost.exe
[2009/07/13 21:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe

< MD5 for: USERINIT.EXE >
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\ERDNT\cache\userinit.exe
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\System32\userinit.exe
[2010/11/20 08:17:48 | 000,026,624 | ---- | M] (Microsoft Corporation) MD5=61AC3EFDFACFDD3F0F11DD4FD4044223 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7601.17514_none_de3024012ff21116\userinit.exe
[2009/07/13 21:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe

< MD5 for: WINLOGON.EXE >
[2009/10/28 02:17:59 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=37CDB7E72EB66BA85A87CBE37E7F03FD -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16447_none_6fc699643622d177\winlogon.exe
[2009/10/28 01:52:08 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=3BABE6767C78FBF5FB8435FEED187F30 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.20560_none_703394514f56f7c2\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\ERDNT\cache\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\System32\winlogon.exe
[2010/11/20 08:17:54 | 000,286,720 | ---- | M] (Microsoft Corporation) MD5=6D13E1406F50C66E2A95D97F22C47560 -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500\winlogon.exe
[2009/07/13 21:14:45 | 000,285,696 | ---- | M] (Microsoft Corporation) MD5=8EC6A4AB12B8F3759E21F8E3A388F2CF -- C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166\winlogon.exe

< %systemroot%\*. /mp /s >

< hklm\software\clients\startmenuinternet|command /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe" --show-icons [2011/07/07 10:50:48 | 001,019,960 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe" --hide-icons [2011/07/07 10:50:48 | 001,019,960 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/07/07 10:50:48 | 001,019,960 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe" [2011/07/07 10:50:48 | 001,019,960 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/06/11 09:29:31 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/06/11 09:29:31 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/06/11 09:29:31 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011/06/11 09:29:33 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" [2011/06/11 09:29:33 | 000,748,336 | ---- | M] (Microsoft Corporation)

< hklm\software\clients\startmenuinternet|command /64 /rs >
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ShowIconsCommand: "C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe" --show-icons [2011/07/07 10:50:48 | 001,019,960 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\HideIconsCommand: "C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe" --hide-icons [2011/07/07 10:50:48 | 001,019,960 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\InstallInfo\\ReinstallCommand: "C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe" --make-default-browser [2011/07/07 10:50:48 | 001,019,960 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\Google Chrome\shell\open\command\\: "C:\Users\karoni\AppData\Local\Google\Chrome\Application\chrome.exe" [2011/07/07 10:50:48 | 001,019,960 | ---- | M] (Google Inc.)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ShowIconsCommand: "C:\Windows\System32\ie4uinit.exe" -show [2011/06/11 09:29:31 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\ReinstallCommand: "C:\Windows\System32\ie4uinit.exe" -reinstall [2011/06/11 09:29:31 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\InstallInfo\\HideIconsCommand: "C:\Windows\System32\ie4uinit.exe" -hide [2011/06/11 09:29:31 | 000,074,240 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\naom\command\\: "C:\Program Files\Internet Explorer\iexplore.exe" -extoff [2011/06/11 09:29:33 | 000,748,336 | ---- | M] (Microsoft Corporation)
HKEY_LOCAL_MACHINE\software\clients\startmenuinternet\IEXPLORE.EXE\shell\open\command\\: "C:\Program Files\Internet Explorer\IEXPLORE.EXE" [2011/06/11 09:29:33 | 000,748,336 | ---- | M] (Microsoft Corporation)

< End of report >

#6
karonita

Posted 12 July 2011 - 09:02 PM

Member

Topic Starter
Member
50 posts

Yup, same computer, just waitin a long time for a fix. But extremely greatful to have you. Here is the combofix. It wouldnt go to my desktop, kept just adding a shortcut from my downloads folder.

ComboFix 11-07-12.09 - karoni 07/12/2011 7:27.16.1 - x86
Running from: c:\users\karoni\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Resident AV is active
.
.
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-12 11:43 . 2011-07-12 11:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-07-12 11:43 . 2011-07-12 11:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-07-11 03:38 . 2011-07-12 11:43 -------- d-----w- c:\users\karoni\AppData\Local\temp
2011-07-04 22:31 . 2011-07-04 22:31 35 ----a-w- c:\users\karoni\AppData\Roaming\SetValue.bat
2011-07-04 22:31 . 2011-07-04 22:31 691 ----a-w- c:\users\karoni\AppData\Roaming\GetValue.vbs
2011-07-04 16:30 . 2011-07-04 16:30 56400 ----a-w- c:\windows\system32\drivers\tmrkb.sys
2011-07-04 16:30 . 2011-07-04 16:30 190032 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-07-03 16:48 . 2011-07-04 16:19 -------- d-----w- c:\users\karoni\FrostWire
2011-07-03 14:39 . 2011-07-03 14:39 -------- d-----w- c:\program files\AnVir Task Manager Free
2011-07-03 14:38 . 2011-07-03 15:20 -------- d-----w- c:\users\karoni\AppData\Local\AnVir
2011-07-02 17:53 . 2011-03-12 11:23 870912 ----a-w- c:\windows\system32\XpsPrint.dll
2011-07-02 17:53 . 2011-02-24 05:38 288256 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-07-02 17:53 . 2011-02-18 05:39 31232 ----a-w- c:\windows\system32\prevhost.exe
2011-07-02 17:51 . 2011-04-22 19:14 27008 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2011-07-02 17:50 . 2011-02-25 05:30 2616320 ----a-w- c:\windows\explorer.exe
2011-07-02 17:49 . 2011-05-04 04:32 1401344 ----a-w- c:\windows\system32\mssrch.dll
2011-07-02 17:49 . 2011-05-04 04:34 1549312 ----a-w- c:\windows\system32\tquery.dll
2011-07-02 17:49 . 2011-05-04 04:28 427520 ----a-w- c:\windows\system32\SearchIndexer.exe
2011-07-02 17:49 . 2011-05-04 04:32 337408 ----a-w- c:\windows\system32\mssph.dll
2011-07-02 17:49 . 2011-05-04 04:28 164352 ----a-w- c:\windows\system32\SearchProtocolHost.exe
2011-07-02 17:49 . 2011-05-04 04:32 666624 ----a-w- c:\windows\system32\mssvp.dll
2011-07-02 17:49 . 2011-05-04 04:28 86528 ----a-w- c:\windows\system32\SearchFilterHost.exe
2011-07-02 17:49 . 2011-05-04 04:32 197120 ----a-w- c:\windows\system32\mssphtb.dll
2011-07-02 17:49 . 2011-05-04 04:32 59392 ----a-w- c:\windows\system32\msscntrs.dll
2011-06-29 03:08 . 2011-05-24 10:44 293376 ----a-w- c:\windows\system32\umpnpmgr.dll
2011-06-24 22:14 . 2009-01-25 17:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2011-06-24 22:13 . 2011-05-11 00:19 770384 ----a-w- c:\windows\system32\msvcr100.dll
2011-06-24 22:13 . 2011-01-07 19:39 421200 ----a-w- c:\windows\system32\msvcp100.dll
2011-06-23 22:28 . 2011-06-24 22:15 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2011-06-23 22:23 . 2011-06-23 22:23 -------- d-----w- c:\users\karoni\AppData\Roaming\SUPERAntiSpyware.com
2011-06-23 22:23 . 2011-06-23 22:24 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-06-23 22:19 . 2011-06-23 22:19 -------- d-----w- c:\program files\Common Files\Java
2011-06-23 22:18 . 2011-06-23 22:18 -------- d-----w- c:\program files\Java
2011-06-21 00:34 . 2011-06-21 00:35 -------- d-----w- c:\program files\Common Files\Adobe
2011-06-17 22:07 . 2011-04-22 23:25 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-17 22:07 . 2011-04-25 15:29 141104 ----a-w- c:\program files\Internet Explorer\sqmapi.dll
2011-06-17 22:07 . 2011-04-22 23:35 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-17 22:05 . 2011-06-17 22:05 -------- d-sh--w- c:\windows\system32\%APPDATA%
2011-06-16 22:21 . 2011-04-29 02:46 311808 ----a-w- c:\windows\system32\drivers\srv.sys
2011-06-16 22:21 . 2011-04-29 02:46 310272 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-16 22:21 . 2011-04-29 02:46 114688 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-16 22:21 . 2011-04-25 04:31 1290624 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-06-16 22:21 . 2011-04-25 02:18 338944 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-16 22:21 . 2011-02-25 05:34 571904 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-16 22:21 . 2011-05-03 04:30 741376 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-16 22:21 . 2011-04-27 02:17 223744 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-16 22:21 . 2011-04-27 02:17 96768 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-16 22:21 . 2011-04-27 02:17 123904 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-23 22:18 . 2010-05-15 22:17 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-06-23 22:16 . 2011-05-12 00:37 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-11 13:29 . 2011-06-11 13:29 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2011-06-11 13:29 . 2011-06-11 13:29 161792 ----a-w- c:\windows\system32\msls31.dll
2011-06-11 13:29 . 2011-06-11 13:29 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-06-11 13:29 . 2011-06-11 13:29 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2011-06-11 13:29 . 2011-06-11 13:29 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2011-06-11 13:29 . 2011-06-11 13:29 86528 ----a-w- c:\windows\system32\iesysprep.dll
2011-06-11 13:29 . 2011-06-11 13:29 63488 ----a-w- c:\windows\system32\tdc.ocx
2011-06-11 13:29 . 2011-06-11 13:29 48640 ----a-w- c:\windows\system32\mshtmler.dll
2011-06-11 13:29 . 2011-06-11 13:29 367104 ----a-w- c:\windows\system32\html.iec
2011-06-11 13:29 . 2011-06-11 13:29 74752 ----a-w- c:\windows\system32\iesetup.dll
2011-06-11 13:29 . 2011-06-11 13:29 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2011-06-11 13:29 . 2011-06-11 13:29 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-06-11 13:29 . 2011-06-11 13:29 23552 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-11 13:29 . 2011-06-11 13:29 152064 ----a-w- c:\windows\system32\wextract.exe
2011-06-11 13:29 . 2011-06-11 13:29 150528 ----a-w- c:\windows\system32\iexpress.exe
2011-06-11 13:29 . 2011-06-11 13:29 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2011-06-11 13:29 . 2011-06-11 13:29 11776 ----a-w- c:\windows\system32\mshta.exe
2011-06-11 13:29 . 2011-06-11 13:29 101888 ----a-w- c:\windows\system32\admparse.dll
2011-06-11 13:29 . 2011-06-11 13:29 35840 ----a-w- c:\windows\system32\imgutil.dll
2011-04-30 00:23 . 2011-04-30 00:23 255352 ----a-w- c:\windows\system32\awrdscdc.ax
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows\system32\GPhotos.scr
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 01:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-26 1306216]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\3572475\Program\Compaq Connections.exe [2006-12-7 34520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 16:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-06-06 16:55 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnVir Task Manager Free]
2010-04-02 19:23 1733856 ----a-w- c:\program files\AnVir Task Manager Free\AnVir.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-02-15 01:32 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-01-30 00:52 135664 ----atw- c:\users\karoni\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2009-09-23 23:30 173592 ----a-w- c:\windows\System32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-02-17 07:11 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2006-11-22 00:36 1474560 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2009-09-23 23:30 141848 ----a-w- c:\windows\System32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2005-02-17 00:15 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2009-09-23 23:30 150552 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2009-03-11 00:19 468264 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]
2011-05-11 02:27 5607080 ----a-w- c:\program files\Spybot - Search & Destroy 2\SDTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-06-10 16:26 2424192 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2007-09-15 06:50 1021224 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-15 06:29 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2009-07-14 01:14 660480 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2009-07-14 01:14 65024 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"QlbCtrl"=%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
.
R2 0275281310315314mcinstcleanup;McAfee Application Installer Cleanup (0275281310315314);c:\windows\TEMP\027528~1.EXE [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R3 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
R3 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files\Hewlett-Packard\Shared\HPDrvMntSvc.exe [2010-10-14 92216]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-03-13 85984]
R3 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-14 229688]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-25 1343400]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-03-13 163400]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-03-13 64648]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-14 54776]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2009-07-14 20992]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-03-13 159832]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-03-13 148520]
S2 SDFirewallService;Spybot-S&D 2 Firewall Service;c:\program files\Spybot - Search & Destroy 2\SDFWSvc.exe [2011-05-11 3585696]
S2 SDMonitorService;Spybot-S&D 2 Monitoring Service;c:\program files\Spybot - Search & Destroy 2\SDMonSvc.exe [2011-05-11 3834456]
S2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [2011-05-11 3515656]
S2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [2011-05-11 3769048]
S2 SDWSCService;Spybot-S&D 2 Security Center Service;c:\program files\Spybot - Search & Destroy 2\SDWSCSvc.exe [2011-05-11 167040]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-03-13 57432]
S3 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-03-13 337912]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
*Deregistered* - MPFP
*Deregistered* - SASDIFSV
*Deregistered* - SASKUTIL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1643368254-1818270169-1135579119-1000Core.job
- c:\users\karoni\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-30 00:52]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1643368254-1818270169-1135579119-1000UA.job
- c:\users\karoni\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-30 00:52]
.
2011-07-12 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2009-10-12 05:01]
.
2011-03-20 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2009-10-12 05:01]
.
2011-03-20 c:\windows\Tasks\PC Health Advisor Defrag.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
2011-03-20 c:\windows\Tasks\PC Health Advisor.job
- c:\program files\ParetoLogic\PCHA\PCHA.exe [2010-09-30 21:40]
.
.
------- Supplementary Scan -------
.
uStart Page = www.facebook.com/login
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=PRESARIO&pf=laptop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: combofix.exe
Trusted Zone: infospyware.net\www
TCP: DhcpNameServer = 192.168.2.1
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(4136)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2011-07-12 07:51:19
ComboFix-quarantined-files.txt 2011-07-12 11:51
ComboFix2.txt 2011-07-11 22:46
ComboFix3.txt 2011-07-04 15:59
ComboFix4.txt 2011-06-28 23:21
ComboFix5.txt 2011-07-12 11:19
.
Pre-Run: 70,005,907,456 bytes free
Post-Run: 69,972,385,792 bytes free
.
- - End Of File - - D826D63B3A1B89911FB7C6F0B7CCD085

#7
michaelg9

Posted 13 July 2011 - 08:05 AM

Trusted Helper

Malware Removal
2,949 posts

Hello,

Disable your antivirus while performing the fixes

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Next:

1 - Flash Drive Disinfector
Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
Wait until it has finished scanning and then exit the program.
Reboot your computer when done.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.

Next:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O15 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\..Trusted Domains: combofix.exe ([]* in Trusted sites)
O15 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\..Trusted Domains: infospyware.net ([www] http in Trusted sites)
O15 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\..Trusted Ranges: Range1 ([http] in Local intranet)
O32 - AutoRun File - [2010/05/05 16:20:58 | 000,000,103 | ---- | M] () - F:\Autorun.inf -- [ FAT32 ]
[2011/07/04 18:31:34 | 000,000,035 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\SetValue.bat
[2011/07/04 18:31:33 | 000,000,691 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\GetValue.vbs

:Services

:Reg

:Files

:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[Reboot]
Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again.
Under Extra Registry select Use Safelist
Under the Custom Scans/Fixes box at the bottom, paste in the following

C:\Windows\System32\%APPDATA%\*.* /s
Click the Run Scan button. Post the log it produces in your next reply.

#8
karonita

Posted 13 July 2011 - 05:50 PM

Member

Topic Starter
Member
50 posts

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-13 07:16:27
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 ST9100827AS rev.3.BHD
Running: gmer.exe; Driver: C:\Users\karoni\AppData\Local\Temp\axdiipog.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8747DD48]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8747DD72]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8747DD5E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8747DD34]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8302E5C5 5 Bytes JMP 8747DD38 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!ZwSaveKey + 13C1 83040339 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83079D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[552] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 00380FEF
.text C:\Windows\system32\services.exe[552] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00380FCD
.text C:\Windows\system32\services.exe[552] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 00380FDE
.text C:\Windows\system32\services.exe[552] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 004C0F5E
.text C:\Windows\system32\services.exe[552] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 004C0F06
.text C:\Windows\system32\services.exe[552] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 004C0F17
.text C:\Windows\system32\services.exe[552] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 004C0025
.text C:\Windows\system32\services.exe[552] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 004C0F8A
.text C:\Windows\system32\services.exe[552] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 004C0062
.text C:\Windows\system32\services.exe[552] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 004C0051
.text C:\Windows\system32\services.exe[552] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 004C0FE5
.text C:\Windows\system32\services.exe[552] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 004C0000
.text C:\Windows\system32\services.exe[552] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 004C00AC
.text C:\Windows\system32\services.exe[552] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 004C0F43
.text C:\Windows\system32\services.exe[552] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 004C0FAF
.text C:\Windows\system32\services.exe[552] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 004C0036
.text C:\Windows\system32\services.exe[552] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 004C0F6F
.text C:\Windows\system32\services.exe[552] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 004C0FCA
.text C:\Windows\system32\services.exe[552] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 004C0F32
.text C:\Windows\system32\services.exe[552] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 004C0073
.text C:\Windows\system32\services.exe[552] msvcrt.dll!_open 764B7E48 5 Bytes JMP 004B0FEF
.text C:\Windows\system32\services.exe[552] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 004B0062
.text C:\Windows\system32\services.exe[552] msvcrt.dll!system 764EB16F 5 Bytes JMP 004B0FCD
.text C:\Windows\system32\services.exe[552] msvcrt.dll!_creat 764EED29 5 Bytes JMP 004B0018
.text C:\Windows\system32\services.exe[552] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 004B003D
.text C:\Windows\system32\services.exe[552] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 004B0FDE
.text C:\Windows\system32\services.exe[552] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 004D0FE5
.text C:\Windows\system32\services.exe[552] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 004D0039
.text C:\Windows\system32\services.exe[552] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 004D0FB2
.text C:\Windows\system32\services.exe[552] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 004D004A
.text C:\Windows\system32\services.exe[552] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 004D0FD4
.text C:\Windows\system32\services.exe[552] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 004D006F
.text C:\Windows\system32\services.exe[552] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 004D0FC3
.text C:\Windows\system32\services.exe[552] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 004D0014
.text C:\Windows\system32\services.exe[552] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00520000
.text C:\Windows\system32\lsass.exe[564] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\lsass.exe[564] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 001A0FCA
.text C:\Windows\system32\lsass.exe[564] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 001A000A
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 001C0054
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 001C008A
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 001C0EFF
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 001C0F9E
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 001C0F4D
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 001C0025
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 001C0F68
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 001C0FD4
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 001C0FEF
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 001C009B
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 001C0065
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 001C0000
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 001C0F83
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 001C0F21
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 001C0FB9
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 001C0F10
.text C:\Windows\system32\lsass.exe[564] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 001C0F32
.text C:\Windows\system32\lsass.exe[564] msvcrt.dll!_open 764B7E48 5 Bytes JMP 001B0000
.text C:\Windows\system32\lsass.exe[564] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 001B0FCD
.text C:\Windows\system32\lsass.exe[564] msvcrt.dll!system 764EB16F 5 Bytes JMP 001B0058
.text C:\Windows\system32\lsass.exe[564] msvcrt.dll!_creat 764EED29 5 Bytes JMP 001B002C
.text C:\Windows\system32\lsass.exe[564] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 001B0047
.text C:\Windows\system32\lsass.exe[564] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 001B0011
.text C:\Windows\system32\lsass.exe[564] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 001D0000
.text C:\Windows\system32\lsass.exe[564] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 001D0FC0
.text C:\Windows\system32\lsass.exe[564] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 001D0047
.text C:\Windows\system32\lsass.exe[564] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 001D0FA5
.text C:\Windows\system32\lsass.exe[564] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 001D001B
.text C:\Windows\system32\lsass.exe[564] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 001D0F8A
.text C:\Windows\system32\lsass.exe[564] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 001D0FDB
.text C:\Windows\system32\lsass.exe[564] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 001D002C
.text C:\Windows\system32\lsass.exe[564] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00620000
.text C:\Windows\system32\svchost.exe[692] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 004D000A
.text C:\Windows\system32\svchost.exe[692] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 004D0FEF
.text C:\Windows\system32\svchost.exe[692] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 004D0025
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 0091007D
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 009100C4
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 00910F2F
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 0091001B
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00910F80
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00910F91
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00910058
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00910FD4
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00910FE5
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 00910F14
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 0091008E
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 0091002C
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00910047
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 00910F4A
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 0091000A
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 0091009F
.text C:\Windows\system32\svchost.exe[692] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00910F6F
.text C:\Windows\system32\svchost.exe[692] msvcrt.dll!_open 764B7E48 5 Bytes JMP 004E0000
.text C:\Windows\system32\svchost.exe[692] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 004E0FA8
.text C:\Windows\system32\svchost.exe[692] msvcrt.dll!system 764EB16F 5 Bytes JMP 004E0033
.text C:\Windows\system32\svchost.exe[692] msvcrt.dll!_creat 764EED29 5 Bytes JMP 004E0FD4
.text C:\Windows\system32\svchost.exe[692] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 004E0FC3
.text C:\Windows\system32\svchost.exe[692] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 004E0FEF
.text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 00920040
.text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 00920062
.text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 00920051
.text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 0092001B
.text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 00920F9B
.text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 00920FDE
.text C:\Windows\system32\svchost.exe[692] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 00920FEF
.text C:\Windows\system32\svchost.exe[692] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00970000
.text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 0019000A
.text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00190FE5
.text C:\Windows\system32\svchost.exe[756] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 0019001B
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetStartupInfoA 76971E10 3 Bytes JMP 0023008E
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetStartupInfoA + 4 76971E14 1 Byte [89]
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessW 7697204D 3 Bytes JMP 00230F25
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessW + 4 76972051 1 Byte [89]
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessA 76972082 3 Bytes JMP 002300BA
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateProcessA + 4 76972086 1 Byte [89]
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00230FAF
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00230062
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00230051
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00230F8A
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00230000
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00230FE5
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 002300D5
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00230F40
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 0023001B
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00230036
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 0023007D
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 00230FCA
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 0023009F
.text C:\Windows\system32\svchost.exe[756] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00230F6F
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_open 764B7E48 5 Bytes JMP 001A000C
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 001A0FC8
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!system 764EB16F 5 Bytes JMP 001A0053
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_creat 764EED29 5 Bytes JMP 001A0038
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 001A0FE3
.text C:\Windows\system32\svchost.exe[756] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 001A001D
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 00400000
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 00400036
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 0040005B
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 00400FB9
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 00400FE5
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 0040006C
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 00400025
.text C:\Windows\system32\svchost.exe[756] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 00400FD4
.text C:\Windows\system32\svchost.exe[756] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00410FEF
.text C:\Windows\System32\svchost.exe[804] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 00770FE5
.text C:\Windows\System32\svchost.exe[804] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00770014
.text C:\Windows\System32\svchost.exe[804] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 00770FD4
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 00C80F65
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 00C800D5
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 00C800BA
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00C80FC0
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00C80073
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00C80062
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00C80FAF
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00C80FE5
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00C80000
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 00C800F0
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00C80F54
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00C8002C
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00C80047
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 00C80F8A
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 00C80011
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 00C800A9
.text C:\Windows\System32\svchost.exe[804] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00C80098
.text C:\Windows\System32\svchost.exe[804] msvcrt.dll!_open 764B7E48 5 Bytes JMP 00C30000
.text C:\Windows\System32\svchost.exe[804] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 00C30033
.text C:\Windows\System32\svchost.exe[804] msvcrt.dll!system 764EB16F 5 Bytes JMP 00C30022
.text C:\Windows\System32\svchost.exe[804] msvcrt.dll!_creat 764EED29 5 Bytes JMP 00C30FD7
.text C:\Windows\System32\svchost.exe[804] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 00C30FBC
.text C:\Windows\System32\svchost.exe[804] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 00C30011
.text C:\Windows\System32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 00CD0000
.text C:\Windows\System32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 00CD004A
.text C:\Windows\System32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 00CD005B
.text C:\Windows\System32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 00CD0FB9
.text C:\Windows\System32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 00CD0FE5
.text C:\Windows\System32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 00CD0FA8
.text C:\Windows\System32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 00CD0FD4
.text C:\Windows\System32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 00CD0025
.text C:\Windows\System32\svchost.exe[804] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00D20000
.text C:\Windows\System32\svchost.exe[936] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 00610000
.text C:\Windows\System32\svchost.exe[936] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00610FD1
.text C:\Windows\System32\svchost.exe[936] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 00610011
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 00600F46
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 00600EEB
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 00600EFC
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00600FD4
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00600F97
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00600065
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00600054
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00600FE5
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00600000
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 0060009B
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00600F21
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00600FC3
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00600FB2
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 00600F61
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 00600025
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 00600080
.text C:\Windows\System32\svchost.exe[936] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00600F72
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_open 764B7E48 5 Bytes JMP 00660FEF
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 00660038
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!system 764EB16F 5 Bytes JMP 00660027
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_creat 764EED29 5 Bytes JMP 00660FD2
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 00660FB7
.text C:\Windows\System32\svchost.exe[936] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 0066000C
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 006F0FEF
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 006F0FB9
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 006F005B
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 006F0040
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 006F000A
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 006F0F9E
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 006F002F
.text C:\Windows\System32\svchost.exe[936] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 006F0FD4
.text C:\Windows\System32\svchost.exe[936] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00700000
.text C:\Windows\system32\svchost.exe[964] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 00710000
.text C:\Windows\system32\svchost.exe[964] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00710025
.text C:\Windows\system32\svchost.exe[964] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 00710FE5
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 00700F5E
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 00700F17
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 007000B6
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00700FC0
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00700F8A
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00700062
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00700FA5
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00700FDB
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00700000
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 00700F06
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00700F4D
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00700036
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00700047
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 0070007D
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 00700011
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 00700F32
.text C:\Windows\system32\svchost.exe[964] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00700F79
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_open 764B7E48 5 Bytes JMP 007A000C
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 007A0042
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!system 764EB16F 5 Bytes JMP 007A0FB7
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_creat 764EED29 5 Bytes JMP 007A0FE3
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 007A0FC8
.text C:\Windows\system32\svchost.exe[964] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 007A001D
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 007B0FE5
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 007B0022
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 007B0F9B
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 007B0033
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 007B0000
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 007B0F80
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 007B0FB6
.text C:\Windows\system32\svchost.exe[964] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 007B0011
.text C:\Windows\system32\svchost.exe[964] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00AD0FE5
.text C:\Windows\system32\svchost.exe[1080] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 00510000
.text C:\Windows\system32\svchost.exe[1080] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00510036
.text C:\Windows\system32\svchost.exe[1080] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 0051001B
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 00500F2F
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 00500F0A
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 0050009F
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00500025
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00500F6F
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00500F80
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00500F9B
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00500FE5
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00500000
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 00500EEF
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00500073
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00500036
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00500047
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 00500F54
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 00500FCA
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 00500084
.text C:\Windows\system32\svchost.exe[1080] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00500062
.text C:\Windows\system32\svchost.exe[1080] msvcrt.dll!_open 764B7E48 5 Bytes JMP 00560FEF
.text C:\Windows\system32\svchost.exe[1080] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 00560058
.text C:\Windows\system32\svchost.exe[1080] msvcrt.dll!system 764EB16F 5 Bytes JMP 00560FCD
.text C:\Windows\system32\svchost.exe[1080] msvcrt.dll!_creat 764EED29 5 Bytes JMP 00560FDE
.text C:\Windows\system32\svchost.exe[1080] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 00560033
.text C:\Windows\system32\svchost.exe[1080] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 00560018
.text C:\Windows\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 00570FEF
.text C:\Windows\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 00570FAF
.text C:\Windows\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 00570047
.text C:\Windows\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 00570036
.text C:\Windows\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 00570FD4
.text C:\Windows\system32\svchost.exe[1080] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 00570062
.text C:\Windows\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 0057001B
.text C:\Windows\system32\svchost.exe[1080] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 0057000A
.text C:\Windows\system32\svchost.exe[1080] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00610FEF
.text C:\Windows\system32\svchost.exe[1240] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 005C0000
.text C:\Windows\system32\svchost.exe[1240] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 005C0FCA
.text C:\Windows\system32\svchost.exe[1240] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 005C0FE5
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 00530F72
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 005300F6
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 005300D1
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00530FCA
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00530F9E
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00530FAF
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00530062
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00530FDB
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00530000
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 00530107
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00530F61
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00530036
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00530051
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 0053009B
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 0053001B
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 005300C0
.text C:\Windows\system32\svchost.exe[1240] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00530F8D
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_open 764B7E48 5 Bytes JMP 005D0000
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 005D004E
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!system 764EB16F 5 Bytes JMP 005D0FCD
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_creat 764EED29 5 Bytes JMP 005D0022
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 005D003D
.text C:\Windows\system32\svchost.exe[1240] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 005D0011
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 005E0000
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 005E0FCA
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 005E0051
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 005E0FB9
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 005E0FE5
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 005E006C
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 005E002C
.text C:\Windows\system32\svchost.exe[1240] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 005E001B
.text C:\Windows\system32\svchost.exe[1240] WS2_32.dll!socket 77093EB8 5 Bytes JMP 006C0FEF
.text C:\Windows\system32\svchost.exe[1436] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 00DC0FEF
.text C:\Windows\system32\svchost.exe[1436] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00DC0FCD
.text C:\Windows\system32\svchost.exe[1436] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 00DC0FDE
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 00DB0F5E
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 00DB00BA
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 00DB00A9
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00DB0025
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00DB0062
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00DB0051
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00DB0F9E
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00DB000A
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00DB0FEF
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 00DB00D5
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00DB0098
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00DB0FAF
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00DB0036
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 00DB0087
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 00DB0FCA
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 00DB0F2F
.text C:\Windows\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00DB0F79
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_open 764B7E48 5 Bytes JMP 00E6000C
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 00E60F81
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!system 764EB16F 5 Bytes JMP 00E60F9C
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_creat 764EED29 5 Bytes JMP 00E60FC8
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 00E60FAD
.text C:\Windows\system32\svchost.exe[1436] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 00E60FE3
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 00E70FEF
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 00E70FAF
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 00E70F94
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 00E70036
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 00E70FDE
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 00E70F6F
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 00E70025
.text C:\Windows\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 00E70014
.text C:\Windows\system32\svchost.exe[1436] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00F90FEF
.text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 003A0FEF
.text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 003A000A
.text C:\Windows\System32\svchost.exe[1512] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 003A0FDE
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 003900AC
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 003900FD
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 003900EC
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00390FCA
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 0039006C
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00390051
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00390F94
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00390011
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00390000
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 0039010E
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 003900C7
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00390FAF
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00390036
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 00390087
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 00390FDB
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 00390F68
.text C:\Windows\System32\svchost.exe[1512] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00390F83
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_open 764B7E48 5 Bytes JMP 00400FE3
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 00400000
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!system 764EB16F 5 Bytes JMP 00400F75
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_creat 764EED29 5 Bytes JMP 00400FB5
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 00400F9A
.text C:\Windows\System32\svchost.exe[1512] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 00400FD2
.text C:\Windows\System32\svchost.exe[1512] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00430FEF
.text C:\Windows\System32\svchost.exe[1512] WININET.dll!InternetOpenA 766A4E2B 5 Bytes JMP 00410000
.text C:\Windows\System32\svchost.exe[1512] WININET.dll!InternetOpenUrlA 766ABFCE 5 Bytes JMP 00410FD4
.text C:\Windows\System32\svchost.exe[1512] WININET.dll!InternetOpenW 766DC03E 5 Bytes JMP 00410FE5
.text C:\Windows\System32\svchost.exe[1512] WININET.dll!InternetOpenUrlW 7670D722 5 Bytes JMP 00410FC3
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 00420FEF
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 00420F97
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 00420025
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 00420014
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 00420FD4
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 00420040
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 00420FA8
.text C:\Windows\System32\svchost.exe[1512] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 00420FC3
.text C:\Windows\Explorer.EXE[1692] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 006D0FE5
.text C:\Windows\Explorer.EXE[1692] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 006D0011
.text C:\Windows\Explorer.EXE[1692] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 006D0000
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 015E0F6F
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 015E0F2F
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 015E00BA
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 015E0FCA
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 015E0F8A
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 015E0FA5
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 015E0062
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 015E0FEF
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 015E0000
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 015E0F0A
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 015E0F4A
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 015E0036
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 015E0047
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 015E0098
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 015E0025
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 015E00A9
.text C:\Windows\Explorer.EXE[1692] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 015E007D
.text C:\Windows\Explorer.EXE[1692] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 015F0000
.text C:\Windows\Explorer.EXE[1692] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 015F0FB9
.text C:\Windows\Explorer.EXE[1692] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 015F0F9E
.text C:\Windows\Explorer.EXE[1692] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 015F004A
.text C:\Windows\Explorer.EXE[1692] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 015F0FE5
.text C:\Windows\Explorer.EXE[1692] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 015F0F83
.text C:\Windows\Explorer.EXE[1692] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 015F0FCA
.text C:\Windows\Explorer.EXE[1692] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 015F001B
.text C:\Windows\Explorer.EXE[1692] msvcrt.dll!_open 764B7E48 5 Bytes JMP 015D000C
.text C:\Windows\Explorer.EXE[1692] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 015D003D
.text C:\Windows\Explorer.EXE[1692] msvcrt.dll!system 764EB16F 5 Bytes JMP 015D0FA8
.text C:\Windows\Explorer.EXE[1692] msvcrt.dll!_creat 764EED29 5 Bytes JMP 015D0FDE
.text C:\Windows\Explorer.EXE[1692] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 015D0FCD
.text C:\Windows\Explorer.EXE[1692] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 015D0FEF
.text C:\Windows\Explorer.EXE[1692] WS2_32.dll!socket 77093EB8 5 Bytes JMP 0191000A
.text C:\Windows\Explorer.EXE[1692] WININET.dll!InternetOpenA 766A4E2B 5 Bytes JMP 04DB0000
.text C:\Windows\Explorer.EXE[1692] WININET.dll!InternetOpenUrlA 766ABFCE 5 Bytes JMP 04DB0FDB
.text C:\Windows\Explorer.EXE[1692] WININET.dll!InternetOpenW 766DC03E 5 Bytes JMP 04DB0011
.text C:\Windows\Explorer.EXE[1692] WININET.dll!InternetOpenUrlW 7670D722 5 Bytes JMP 04DB0FCA
.text C:\Windows\system32\svchost.exe[1944] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 001B0FEF
.text C:\Windows\system32\svchost.exe[1944] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 001B0FAF
.text C:\Windows\system32\svchost.exe[1944] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 001B0FCA
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 001A0080
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 001A00C7
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 001A00AC
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 001A002F
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 001A0F8D
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 001A0FA8
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 001A0065
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 001A0000
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 001A00D8
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 001A0F32
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 001A0040
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 001A0FC3
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 001A0F57
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 001A0FD4
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 001A0091
.text C:\Windows\system32\svchost.exe[1944] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 001A0F72
.text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_open 764B7E48 5 Bytes JMP 001C0000
.text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 001C0033
.text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!system 764EB16F 5 Bytes JMP 001C0022
.text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_creat 764EED29 5 Bytes JMP 001C0FC6
.text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 001C0011
.text C:\Windows\system32\svchost.exe[1944] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 001C0FD7
.text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 001D0028
.text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 001D0F97
.text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 001D0039
.text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 001D0FDE
.text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 001D0054
.text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 001D0FBC
.text C:\Windows\system32\svchost.exe[1944] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 001D0FCD
.text C:\Windows\system32\svchost.exe[2636] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 00040FE5
.text C:\Windows\system32\svchost.exe[2636] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00040FCA
.text C:\Windows\system32\svchost.exe[2636] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 00040000
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 00010F79
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 000100EC
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 00010F57
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00010FD4
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 0001006C
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 0001005B
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00010FA8
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00010FE5
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00010000
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 00010F3C
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00010F68
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00010036
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00010FB9
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 00010098
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 0001001B
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 000100D1
.text C:\Windows\system32\svchost.exe[2636] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00010087
.text C:\Windows\system32\svchost.exe[2636] msvcrt.dll!_open 764B7E48 5 Bytes JMP 00070FE3
.text C:\Windows\system32\svchost.exe[2636] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 00070FAB
.text C:\Windows\system32\svchost.exe[2636] msvcrt.dll!system 764EB16F 5 Bytes JMP 00070FBC
.text C:\Windows\system32\svchost.exe[2636] msvcrt.dll!_creat 764EED29 5 Bytes JMP 00070011
.text C:\Windows\system32\svchost.exe[2636] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 0007002C
.text C:\Windows\system32\svchost.exe[2636] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[2636] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 00130000
.text C:\Windows\system32\svchost.exe[2636] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 00130FDE
.text C:\Windows\system32\svchost.exe[2636] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 00130076
.text C:\Windows\system32\svchost.exe[2636] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 00130065
.text C:\Windows\system32\svchost.exe[2636] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 00130025
.text C:\Windows\system32\svchost.exe[2636] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 00130091
.text C:\Windows\system32\svchost.exe[2636] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 00130FEF
.text C:\Windows\system32\svchost.exe[2636] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 00130040
.text C:\Windows\system32\svchost.exe[2636] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00410FEF
.text C:\Windows\system32\wuauclt.exe[4016] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 00040FEF
.text C:\Windows\system32\wuauclt.exe[4016] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 0004000A
.text C:\Windows\system32\wuauclt.exe[4016] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 00040FD4
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 0001009F
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 000100E6
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 00010F51
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00010FAF
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00010073
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00010058
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00010047
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00010FE5
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00010000
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 000100F7
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 000100B0
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00010025
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00010036
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 00010F76
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 00010FCA
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 000100CB
.text C:\Windows\system32\wuauclt.exe[4016] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00010084
.text C:\Windows\system32\wuauclt.exe[4016] msvcrt.dll!_open 764B7E48 5 Bytes JMP 000F0000
.text C:\Windows\system32\wuauclt.exe[4016] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 000F0058
.text C:\Windows\system32\wuauclt.exe[4016] msvcrt.dll!system 764EB16F 5 Bytes JMP 000F0047
.text C:\Windows\system32\wuauclt.exe[4016] msvcrt.dll!_creat 764EED29 5 Bytes JMP 000F002C
.text C:\Windows\system32\wuauclt.exe[4016] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 000F0FD7
.text C:\Windows\system32\wuauclt.exe[4016] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 000F0011
.text C:\Windows\system32\wuauclt.exe[4016] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 00100000
.text C:\Windows\system32\wuauclt.exe[4016] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 00100040
.text C:\Windows\system32\wuauclt.exe[4016] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 00100FA8
.text C:\Windows\system32\wuauclt.exe[4016] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 00100FB9
.text C:\Windows\system32\wuauclt.exe[4016] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 00100FE5
.text C:\Windows\system32\wuauclt.exe[4016] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 0010005B
.text C:\Windows\system32\wuauclt.exe[4016] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 00100FCA
.text C:\Windows\system32\wuauclt.exe[4016] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 0010001B
.text C:\Windows\system32\svchost.exe[4364] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 0004000A
.text C:\Windows\system32\svchost.exe[4364] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00040FDE
.text C:\Windows\system32\svchost.exe[4364] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 00040FEF
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 000100B6
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 00010F4D
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 000100E2
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 00010036
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00010087
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 0001006C
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 0001005B
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00010000
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00010FE5
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 000100FD
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00010F72
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00010FCA
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00010FB9
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 00010F8D
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 0001001B
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 000100D1
.text C:\Windows\system32\svchost.exe[4364] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00010F9E
.text C:\Windows\system32\svchost.exe[4364] msvcrt.dll!_open 764B7E48 5 Bytes JMP 000E0FEF
.text C:\Windows\system32\svchost.exe[4364] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 000E0FAF
.text C:\Windows\system32\svchost.exe[4364] msvcrt.dll!system 764EB16F 5 Bytes JMP 000E0044
.text C:\Windows\system32\svchost.exe[4364] msvcrt.dll!_creat 764EED29 5 Bytes JMP 000E0FD4
.text C:\Windows\system32\svchost.exe[4364] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 000E0033
.text C:\Windows\system32\svchost.exe[4364] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 000E000C
.text C:\Windows\system32\svchost.exe[4364] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 00130FEF
.text C:\Windows\system32\svchost.exe[4364] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 00130051
.text C:\Windows\system32\svchost.exe[4364] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 00130FAF
.text C:\Windows\system32\svchost.exe[4364] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 00130FC0
.text C:\Windows\system32\svchost.exe[4364] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 00130014
.text C:\Windows\system32\svchost.exe[4364] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 00130F94
.text C:\Windows\system32\svchost.exe[4364] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 00130040
.text C:\Windows\system32\svchost.exe[4364] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 0013002F
.text C:\Windows\system32\svchost.exe[4364] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00140FEF
.text C:\Windows\System32\svchost.exe[5596] ntdll.dll!NtCreateFile 76EE55C8 5 Bytes JMP 00040000
.text C:\Windows\System32\svchost.exe[5596] ntdll.dll!NtCreateProcess 76EE5698 5 Bytes JMP 00040040
.text C:\Windows\System32\svchost.exe[5596] ntdll.dll!NtProtectVirtualMemory 76EE5F18 5 Bytes JMP 0004001B
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!GetStartupInfoA 76971E10 5 Bytes JMP 00010F17
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!CreateProcessW 7697204D 5 Bytes JMP 00010087
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!CreateProcessA 76972082 5 Bytes JMP 00010076
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!CreateNamedPipeW 769A270F 5 Bytes JMP 0001000A
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!VirtualProtect 769B2341 5 Bytes JMP 00010F57
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!LoadLibraryExW 769B4775 5 Bytes JMP 00010F68
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!LoadLibraryExA 769B47FA 5 Bytes JMP 00010025
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!CreateFileW 769BCC56 5 Bytes JMP 00010FDE
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!CreateFileA 769BCEE8 5 Bytes JMP 00010FEF
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!GetProcAddress 769C33D3 5 Bytes JMP 00010EE1
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!GetStartupInfoW 769C3891 5 Bytes JMP 00010065
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!LoadLibraryA 769C395C 5 Bytes JMP 00010F94
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!LoadLibraryW 769C3C01 5 Bytes JMP 00010F83
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!CreatePipe 769D35B7 5 Bytes JMP 0001004A
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!CreateNamedPipeA 769FD44F 5 Bytes JMP 00010FB9
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!WinExec 769FE5FD 5 Bytes JMP 00010F06
.text C:\Windows\System32\svchost.exe[5596] kernel32.dll!VirtualProtectEx 769FF5D9 5 Bytes JMP 00010F3C
.text C:\Windows\System32\svchost.exe[5596] msvcrt.dll!_open 764B7E48 5 Bytes JMP 0022000C
.text C:\Windows\System32\svchost.exe[5596] msvcrt.dll!_wsystem 764EB04F 5 Bytes JMP 00220FC8
.text C:\Windows\System32\svchost.exe[5596] msvcrt.dll!system 764EB16F 5 Bytes JMP 00220053
.text C:\Windows\System32\svchost.exe[5596] msvcrt.dll!_creat 764EED29 5 Bytes JMP 0022002E
.text C:\Windows\System32\svchost.exe[5596] msvcrt.dll!_wcreat 764F038E 5 Bytes JMP 00220FE3
.text C:\Windows\System32\svchost.exe[5596] msvcrt.dll!_wopen 764F0570 5 Bytes JMP 0022001D
.text C:\Windows\System32\svchost.exe[5596] WS2_32.dll!socket 77093EB8 5 Bytes JMP 00230FEF
.text C:\Windows\System32\svchost.exe[5596] ADVAPI32.dll!RegOpenKeyA 76FECC15 5 Bytes JMP 002B0FEF
.text C:\Windows\System32\svchost.exe[5596] ADVAPI32.dll!RegCreateKeyA 76FECD01 5 Bytes JMP 002B0FA5
.text C:\Windows\System32\svchost.exe[5596] ADVAPI32.dll!RegCreateKeyExA 76FF1469 5 Bytes JMP 002B0051
.text C:\Windows\System32\svchost.exe[5596] ADVAPI32.dll!RegCreateKeyW 76FF1514 5 Bytes JMP 002B002C
.text C:\Windows\System32\svchost.exe[5596] ADVAPI32.dll!RegOpenKeyW 76FF2459 5 Bytes JMP 002B0FD4
.text C:\Windows\System32\svchost.exe[5596] ADVAPI32.dll!RegCreateKeyExW 76FF40FE 5 Bytes JMP 002B0F94
.text C:\Windows\System32\svchost.exe[5596] ADVAPI32.dll!RegOpenKeyExW 76FF468D 5 Bytes JMP 002B001B
.text C:\Windows\System32\svchost.exe[5596] ADVAPI32.dll!RegOpenKeyExA 76FF4907 5 Bytes JMP 002B000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\System32\svchost.exe[936] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess] [3052CBB4] C:\Program Files\Spybot - Search & Destroy 2\SDCoffPH.dll (Hooks for on-access monitoring/Safer-Networking Ltd.)
IAT C:\Windows\system32\svchost.exe[964] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!ExitProcess] [3052CBB4] C:\Program Files\Spybot - Search & Destroy 2\SDCoffPH.dll (Hooks for on-access monitoring/Safer-Networking Ltd.)
IAT C:\Windows\system32\mfevtps.exe[1580] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [00D9A510] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73CD2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73CB5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73CB56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73CD24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73CC8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73CC4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73CC506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73CC5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73CC6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73CC826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73CC87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73CC901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73CCE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73CC4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2760] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2760] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2760] @ C:\Windows\system32\advapi32.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2760] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2760] @ C:\Windows\system32\crypt32.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe[2760] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[6116] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[6116] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[6116] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)
IAT C:\Windows\system32\rundll32.exe[6116] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74F7FFF6] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----

OTL logfile created on: 7/13/2011 07:32:09 - Run 4
OTL by OldTimer - Version 3.2.26.0 Folder = C:\Users\karoni\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.62 Mb Total Physical Memory | 42.11 Mb Available Physical Memory | 8.23% Memory free
2.94 Gb Paging File | 1.78 Gb Available in Paging File | 60.39% Paging File free
Paging file location(s): c:\pagefile.sys 2500 2500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 87.62 Gb Total Space | 65.26 Gb Free Space | 74.48% Space Free | Partition Type: NTFS
Drive D: | 5.54 Gb Total Space | 1.05 Gb Free Space | 18.92% Space Free | Partition Type: NTFS
Drive F: | 29.91 Gb Total Space | 25.91 Gb Free Space | 86.62% Space Free | Partition Type: FAT32

Computer Name: KARONI-PC | User Name: karoni | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/05 23:04:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\karoni\Downloads\OTL.exe
PRC - [2011/05/25 21:24:16 | 001,306,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/05/11 15:10:44 | 000,167,040 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2011/05/10 22:28:30 | 003,769,048 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2011/05/10 22:21:12 | 003,834,456 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDMonSvc.exe
PRC - [2011/05/10 22:18:34 | 003,585,696 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe
PRC - [2011/05/10 22:18:08 | 003,515,656 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2010/12/15 23:46:06 | 000,151,056 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\Core\mchost.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 08:17:00 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2006/10/10 20:44:20 | 000,034,520 | ---- | M] (Hewlett Packard) -- C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe

========== Modules (SafeList) ==========

MOD - [2011/07/05 23:04:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\karoni\Downloads\OTL.exe
MOD - [2011/04/08 16:56:28 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/11/20 07:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (0275281310315314mcinstcleanup) McAfee Application Installer Cleanup (0275281310315314)
SRV - [2011/06/29 17:43:25 | 003,435,096 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_e477fed.dll -- (Akamai)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/05/11 15:10:44 | 000,167,040 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe -- (SDWSCService)
SRV - [2011/05/10 22:28:30 | 003,769,048 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe -- (SDUpdateService)
SRV - [2011/05/10 22:21:12 | 003,834,456 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDMonSvc.exe -- (SDMonitorService)
SRV - [2011/05/10 22:18:34 | 003,585,696 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe -- (SDFirewallService)
SRV - [2011/05/10 22:18:08 | 003,515,656 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe -- (SDScannerService)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/10/14 17:27:38 | 000,092,216 | ---- | M] (Hewlett-Packard Company) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe -- (HPDrvMntSvc.exe)
SRV - [2010/04/25 10:57:16 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/04/13 21:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Stopped] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2006/06/26 13:50:08 | 000,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr)
SRV - [2004/10/22 07:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)

========== Driver Services (SafeList) ==========

DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,163,400 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,064,648 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/04/13 21:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\System32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2010/02/25 00:02:30 | 000,015,544 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2009/11/04 16:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/07/22 07:42:58 | 000,051,200 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/03/04 02:32:00 | 000,188,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2007/07/10 06:27:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/02 10:43:50 | 000,145,920 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2006/06/28 13:57:00 | 000,008,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\eabfiltr.sys -- (eabfiltr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...SARIO&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.facebook.com/login
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.4: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\karoni\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\karoni\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/23 21:24:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/23 21:24:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/24 18:41:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Google\Web Accelerator\firefox [2011/06/23 18:39:43 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/23 21:24:27 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/23 21:24:28 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/24 18:41:36 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Google\Web Accelerator\firefox [2011/06/23 18:39:43 | 000,000,000 | ---D | M]

[2010/04/24 18:41:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\karoni\AppData\Roaming\Mozilla\Extensions
[2010/04/16 21:33:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\karoni\AppData\Roaming\Mozilla\Extensions\[email protected]

O1 HOSTS File: ([2011/07/11 18:32:52 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - File not found
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (&Google Web Accelerator Helper) - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110616185531.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Web Accelerator) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O15 - HKCU\..Trusted Domains: combofix.exe ([]* in Trusted sites)
O15 - HKCU\..Trusted Domains: infospyware.net ([www] http in Trusted sites)
O15 - HKCU\..Trusted Ranges: Range1 ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O24 - Desktop WallPaper: C:\Users\karoni\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\karoni\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 11:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O32 - AutoRun File - [2010/05/05 16:20:58 | 000,000,103 | ---- | M] () - F:\Autorun.inf -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/13 05:54:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/07/12 07:57:14 | 000,000,000 | ---D | C] -- C:\Windows\TEMP
[2011/07/12 07:47:57 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/07/12 07:19:29 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/07/11 17:56:35 | 000,518,144 | R--- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/07/11 17:56:35 | 000,406,528 | R--- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/07/11 17:50:34 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/07/10 23:38:14 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Local\temp
[2011/07/04 12:30:29 | 000,056,400 | ---- | C] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/07/04 12:30:28 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/07/03 12:48:48 | 000,000,000 | ---D | C] -- C:\Users\karoni\FrostWire
[2011/07/03 11:06:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Disabled by AnVir)
[2011/07/03 10:39:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnVir Task Manager Free
[2011/07/03 10:39:02 | 000,000,000 | ---D | C] -- C:\Program Files\AnVir Task Manager Free
[2011/07/03 10:38:01 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Local\AnVir
[2011/07/02 13:53:31 | 000,870,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2011/07/02 13:53:27 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/07/02 13:53:24 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\prevhost.exe
[2011/07/02 13:51:29 | 000,027,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\Diskdump.sys
[2011/07/02 13:50:17 | 002,616,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\explorer.exe
[2011/07/02 13:49:56 | 001,401,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssrch.dll
[2011/07/02 13:49:55 | 001,549,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tquery.dll
[2011/07/02 13:49:52 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssph.dll
[2011/07/02 13:49:47 | 000,666,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssvp.dll
[2011/07/02 13:49:45 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssphtb.dll
[2011/07/02 13:49:43 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msscntrs.dll
[2011/06/28 19:28:12 | 000,000,000 | ---D | C] -- C:\Users\karoni\Desktop\log
[2011/06/24 18:14:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
[2011/06/24 18:14:13 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\Windows\System32\sdnclean.exe
[2011/06/24 18:13:35 | 000,770,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcr100.dll
[2011/06/24 18:13:35 | 000,421,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcp100.dll
[2011/06/24 18:08:52 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FrostWire
[2011/06/23 18:39:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Web Accelerator
[2011/06/23 18:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2011/06/23 18:23:35 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Roaming\SUPERAntiSpyware.com
[2011/06/23 18:23:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2011/06/23 18:23:10 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/06/23 18:19:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/23 18:19:12 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/23 18:19:12 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/23 18:19:12 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/23 18:18:37 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/06/20 20:34:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/06/20 20:34:37 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/06/17 18:07:33 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/17 18:07:31 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/06/17 18:07:31 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/06/17 18:07:30 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/06/17 18:05:50 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010/10/13 19:17:07 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\karoni\AppData\Roaming\pcouffin.sys
[2010/09/03 22:07:39 | 003,063,561 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\MobileTV.exe
[2010/09/03 22:07:39 | 002,989,660 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\DVD.exe
[2010/09/03 22:07:38 | 002,864,396 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\MPV.exe
[2010/09/03 22:07:38 | 002,331,174 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\Karaoke.exe
[2010/09/03 22:07:37 | 002,231,606 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\Games.exe

========== Files - Modified Within 30 Days ==========

[2011/07/13 07:23:15 | 000,132,597 | ---- | M] () -- C:\Users\karoni\Desktop\Flash_Disinfector.exe
[2011/07/13 06:44:31 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1643368254-1818270169-1135579119-1000UA.job
[2011/07/13 06:21:10 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/13 06:21:10 | 000,009,728 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/13 06:15:06 | 000,293,977 | ---- | M] () -- C:\Users\karoni\Desktop\gmer.zip
[2011/07/13 05:52:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/07/13 05:52:39 | 402,350,080 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/12 18:44:20 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1643368254-1818270169-1135579119-1000Core.job
[2011/07/12 18:00:02 | 000,000,446 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration3.job
[2011/07/11 22:51:22 | 162,372,208 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/07/11 22:36:18 | 000,000,606 | ---- | M] () -- C:\Users\karoni\Desktop\fsecuree
[2011/07/11 18:32:52 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/07/05 21:26:00 | 000,001,041 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\vso_ts_preview.xml
[2011/07/04 18:31:34 | 000,000,691 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\GetValue.vbs
[2011/07/04 18:31:34 | 000,000,035 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\SetValue.bat
[2011/07/04 12:30:29 | 000,056,400 | ---- | M] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/07/04 12:30:28 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/07/04 12:05:45 | 000,624,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/07/04 12:05:45 | 000,106,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/07/03 10:39:04 | 000,000,997 | ---- | M] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\AnVir Task Manager Free.lnk
[2011/07/03 10:39:03 | 000,001,039 | ---- | M] () -- C:\Users\Public\Desktop\AnVir Task Manager Free.lnk
[2011/07/02 17:35:22 | 000,389,408 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/06/30 17:54:24 | 000,012,660 | ---- | M] () -- C:\Users\karoni\Documents\cc_20110630_175401.reg
[2011/06/26 12:34:12 | 000,000,000 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\.googlewebacchosts
[2011/06/26 02:45:56 | 000,256,000 | ---- | M] () -- C:\Windows\PEV.exe
[2011/06/24 18:14:15 | 000,002,123 | ---- | M] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2011/06/24 18:08:53 | 000,001,203 | ---- | M] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.21.8.lnk
[2011/06/24 18:08:52 | 000,001,179 | ---- | M] () -- C:\Users\karoni\Desktop\FrostWire 4.21.8.lnk
[2011/06/23 18:39:44 | 000,001,181 | ---- | M] () -- C:\Users\karoni\Desktop\Google Web Accelerator.lnk
[2011/06/23 18:23:27 | 000,001,965 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/06/23 18:18:49 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/23 18:18:49 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/23 18:18:48 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/23 18:18:46 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/06/23 18:16:26 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/20 20:35:20 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk

========== Files Created - No Company Name ==========

[2011/07/13 07:22:57 | 000,132,597 | ---- | C] () -- C:\Users\karoni\Desktop\Flash_Disinfector.exe
[2011/07/13 06:15:18 | 000,293,977 | ---- | C] () -- C:\Users\karoni\Desktop\gmer.zip
[2011/07/11 22:36:18 | 000,000,606 | ---- | C] () -- C:\Users\karoni\Desktop\fsecuree
[2011/07/11 17:56:39 | 000,208,896 | R--- | C] () -- C:\Windows\MBR.exe
[2011/07/11 17:56:35 | 000,098,816 | R--- | C] () -- C:\Windows\sed.exe
[2011/07/11 17:56:35 | 000,080,412 | R--- | C] () -- C:\Windows\grep.exe
[2011/07/11 17:56:35 | 000,068,096 | R--- | C] () -- C:\Windows\zip.exe
[2011/07/04 18:31:34 | 000,000,035 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\SetValue.bat
[2011/07/04 18:31:33 | 000,000,691 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\GetValue.vbs
[2011/07/03 10:39:04 | 000,000,997 | ---- | C] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\AnVir Task Manager Free.lnk
[2011/07/03 10:39:02 | 000,001,039 | ---- | C] () -- C:\Users\Public\Desktop\AnVir Task Manager Free.lnk
[2011/06/30 17:54:17 | 000,012,660 | ---- | C] () -- C:\Users\karoni\Documents\cc_20110630_175401.reg
[2011/06/26 02:45:56 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/06/24 18:14:15 | 000,002,135 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2011/06/24 18:14:15 | 000,002,123 | ---- | C] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2011/06/24 18:08:53 | 000,001,203 | ---- | C] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.21.8.lnk
[2011/06/24 18:08:52 | 000,001,179 | ---- | C] () -- C:\Users\karoni\Desktop\FrostWire 4.21.8.lnk
[2011/06/23 18:45:14 | 000,000,000 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\.googlewebacchosts
[2011/06/23 18:39:44 | 000,001,181 | ---- | C] () -- C:\Users\karoni\Desktop\Google Web Accelerator.lnk
[2011/06/23 18:23:27 | 000,001,965 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/06/20 20:35:19 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/20 20:35:19 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/03/20 13:42:53 | 000,006,656 | ---- | C] () -- C:\Windows\System32\bcmwlrc.dll
[2010/12/22 21:22:02 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/11/09 21:50:41 | 000,000,017 | ---- | C] () -- C:\Users\karoni\AppData\Local\resmon.resmoncfg
[2010/10/13 19:17:07 | 000,007,887 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\pcouffin.cat
[2010/10/13 19:17:07 | 000,001,144 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\pcouffin.inf
[2010/10/10 18:19:03 | 000,001,041 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\vso_ts_preview.xml
[2010/10/10 11:22:41 | 000,000,039 | ---- | C] () -- C:\Windows\WININIT.INI
[2010/10/10 10:30:01 | 000,000,000 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\wklnhst.dat
[2010/04/24 19:18:07 | 000,000,279 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2010/04/24 18:48:38 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2010/04/17 17:01:27 | 000,000,000 | ---- | C] () -- C:\Windows\setup32.INI
[2010/02/12 23:21:31 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:33:53 | 000,389,408 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,624,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,106,522 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/06 07:02:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2006/09/19 03:02:40 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/19 03:02:40 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/03/09 16:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2004/09/16 16:24:26 | 003,375,104 | ---- | C] () -- C:\Windows\System32\qt-mt331.dll

========== Custom Scans ==========

< :OTL >

< O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. >

< O15 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\..Trusted Domains: combofix.exe ([]* in Trusted sites) >

< O15 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\..Trusted Domains: infospyware.net ([www] http in Trusted sites) >

< O15 - HKU\S-1-5-21-1643368254-1818270169-1135579119-1000\..Trusted Ranges: Range1 ([http] in Local intranet) >

< O32 - AutoRun File - [2010/05/05 16:20:58 | 000,000,103 | ---- | M] () - F:\Autorun.inf -- [ FAT32 ] >
Invalid Switch: 05 16:20:58 | 000,000,103 | ---- | M] () - F:\Autorun.inf -- [ FAT32 ]

< [2011/07/04 18:31:34 | 000,000,035 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\SetValue.bat >
Invalid Switch: 04 18:31:34 | 000,000,035 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\SetValue.bat

< [2011/07/04 18:31:33 | 000,000,691 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\GetValue.vbs >
Invalid Switch: 04 18:31:33 | 000,000,691 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\GetValue.vbs

< >

< :Services >

< >

< :Reg >

< >

< :Files >

< >

< :Commands >

< [purity] >

< [emptytemp] >

< [EMPTYFLASH] >

< [Reboot] >

< End of report >

#9
karonita

Posted 13 July 2011 - 06:06 PM

Member

Topic Starter
Member
50 posts

C:\Windows\System32\%APPDATA%\*.* /sError: Unable to interpret <C:\Windows\System32\%APPDATA%\*.* /s> in the current context!

OTL by OldTimer - Version 3.2.26.0 log created on 07132011_080532

#10
michaelg9

Posted 13 July 2011 - 06:47 PM

Trusted Helper

Malware Removal
2,949 posts

Hello Karonita
It seems that you clicked the wrong buttons in OTL. When you should click run fix you clicked run scan and vice versa
Please do the OTL instructions again carefully

#11
karonita

Posted 14 July 2011 - 04:36 AM

Member

Topic Starter
Member
50 posts

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\ not found.
Registry key HKEY_USERS\S-1-5-21-1643368254-1818270169-1135579119-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\combofix.exe\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-1643368254-1818270169-1135579119-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\infospyware.net\www\ deleted successfully.
Registry value HKEY_USERS\S-1-5-21-1643368254-1818270169-1135579119-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1\\http deleted successfully.
F:\Autorun.inf moved successfully.
C:\Users\karoni\AppData\Roaming\SetValue.bat moved successfully.
C:\Users\karoni\AppData\Roaming\GetValue.vbs moved successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: karoni
->Temp folder emptied: 1080472 bytes
->Temporary Internet Files folder emptied: 1229665 bytes
->Java cache emptied: 400625 bytes
->Google Chrome cache emptied: 6226448 bytes
->Flash cache emptied: 1066 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 3665848 bytes

Total Files Cleaned = 12.00 mb

[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: karoni
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.26.0 log created on 07132011_182920

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

#12
karonita

Posted 14 July 2011 - 04:57 AM

Member

Topic Starter
Member
50 posts

OTL logfile created on: 7/13/2011 18:47:32 - Run 5
OTL by OldTimer - Version 3.2.26.0 Folder = C:\Users\karoni\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.62 Mb Total Physical Memory | 110.92 Mb Available Physical Memory | 21.68% Memory free
2.94 Gb Paging File | 1.89 Gb Available in Paging File | 64.29% Paging File free
Paging file location(s): c:\pagefile.sys 2500 2500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 87.62 Gb Total Space | 65.27 Gb Free Space | 74.49% Space Free | Partition Type: NTFS
Drive D: | 5.54 Gb Total Space | 1.05 Gb Free Space | 18.92% Space Free | Partition Type: NTFS
Drive F: | 29.91 Gb Total Space | 25.91 Gb Free Space | 86.62% Space Free | Partition Type: FAT32

Computer Name: KARONI-PC | User Name: karoni | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/05 23:04:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\karoni\Downloads\OTL.exe
PRC - [2011/05/25 21:24:16 | 001,306,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/05/11 15:10:44 | 000,167,040 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe
PRC - [2011/05/10 22:28:30 | 003,769,048 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
PRC - [2011/05/10 22:21:12 | 003,834,456 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDMonSvc.exe
PRC - [2011/05/10 22:18:34 | 003,585,696 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe
PRC - [2011/05/10 22:18:08 | 003,515,656 | ---- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2011/02/25 01:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2010/12/15 23:46:06 | 000,151,056 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\Core\mchost.exe
PRC - [2010/11/20 08:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/11/20 08:17:00 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
PRC - [2006/10/10 20:44:20 | 000,034,520 | ---- | M] (Hewlett Packard) -- C:\Program Files\Compaq Connections\3572475\Program\Compaq Connections.exe

========== Modules (SafeList) ==========

MOD - [2011/07/05 23:04:45 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\Users\karoni\Downloads\OTL.exe
MOD - [2010/11/20 07:55:09 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (0275281310315314mcinstcleanup) McAfee Application Installer Cleanup (0275281310315314)
SRV - [2011/06/29 17:43:25 | 003,435,096 | ---- | M] () [Auto | Running] -- c:\Program Files\Common Files\Akamai\netsession_win_e477fed.dll -- (Akamai)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/05/11 15:10:44 | 000,167,040 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDWSCSvc.exe -- (SDWSCService)
SRV - [2011/05/10 22:28:30 | 003,769,048 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe -- (SDUpdateService)
SRV - [2011/05/10 22:21:12 | 003,834,456 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDMonSvc.exe -- (SDMonitorService)
SRV - [2011/05/10 22:18:34 | 003,585,696 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe -- (SDFirewallService)
SRV - [2011/05/10 22:18:08 | 003,515,656 | ---- | M] (Safer-Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe -- (SDScannerService)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/10/14 17:27:38 | 000,092,216 | ---- | M] (Hewlett-Packard Company) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\Shared\HPDrvMntSvc.exe -- (HPDrvMntSvc.exe)
SRV - [2010/04/25 10:57:16 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/04/13 21:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2009/07/13 21:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 21:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)
SRV - [2006/06/26 13:50:08 | 000,126,976 | ---- | M] (Hewlett-Packard Development Company, L.P.) [On_Demand | Stopped] -- C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe -- (AddFiltr)
SRV - [2004/10/22 07:24:18 | 000,073,728 | ---- | M] (Macrovision Corporation) [Disabled | Stopped] -- C:\Program Files\Roxio\Roxio MyDVD Basic v9\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)

========== Driver Services (SafeList) ==========

DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,163,400 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,064,648 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/11/20 06:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/04/13 21:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\Windows\System32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2010/02/25 00:02:30 | 000,015,544 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CPQBttn.sys -- (HBtnKey)
DRV - [2009/11/04 16:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2008/07/22 07:42:58 | 000,051,200 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtnicxp.sys -- (RTL8023xp)
DRV - [2008/03/04 02:32:00 | 000,188,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService)
DRV - [2007/07/10 06:27:56 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/11/02 10:43:50 | 000,145,920 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\CHDART.sys -- (HdAudAddService)
DRV - [2006/06/28 13:57:00 | 000,008,192 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\eabfiltr.sys -- (eabfiltr)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...SARIO&pf=laptop

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.facebook.com/login
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX Browser Plugin,version=1.0.0: C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
FF - HKLM\Software\MozillaPlugins\@divx.com/DivX VOD Helper,version=1.0.0: C:\Program Files\DivX\DivX OVS Helper\npovshelper.dll (DivX, LLC.)
FF - HKLM\Software\MozillaPlugins\@google.com/npPicasa3,version=3.0.0: C:\Program Files\Google\Picasa3\npPicasa3.dll (Google, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.4: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\karoni\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\karoni\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKLM\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/23 21:24:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/23 21:24:28 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/24 18:41:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Google\Web Accelerator\firefox [2011/06/23 18:39:43 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{23fcfd51-4958-4f00-80a3-ae97e717ed8b}: C:\Program Files\DivX\DivX Plus Web Player\firefox\html5video [2011/03/23 21:24:27 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{6904342A-8307-11DF-A508-4AE2DFD72085}: C:\Program Files\DivX\DivX Plus Web Player\firefox\wpa [2011/03/23 21:24:28 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/24 18:41:36 | 000,000,000 | ---D | M]
FF - HKCU\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Google\Web Accelerator\firefox [2011/06/23 18:39:43 | 000,000,000 | ---D | M]

[2010/04/24 18:41:07 | 000,000,000 | ---D | M] (No name found) -- C:\Users\karoni\AppData\Roaming\Mozilla\Extensions
[2010/04/16 21:33:22 | 000,000,000 | ---D | M] (No name found) -- C:\Users\karoni\AppData\Roaming\Mozilla\Extensions\[email protected]

O1 HOSTS File: ([2011/07/11 18:32:52 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - File not found
O2 - BHO: (DivX Plus Web Player HTML5 <video>) - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O2 - BHO: (DivX HiQ) - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll (DivX, LLC)
O2 - BHO: (&Google Web Accelerator Helper) - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110616185531.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Web Accelerator) - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr (Google Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy 2\SDHelper.dll (Safer-Networking Ltd.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O24 - Desktop WallPaper: C:\Users\karoni\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\karoni\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 17:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2005/09/11 11:18:54 | 000,000,340 | -HS- | M] () - D:\AUTOMODE -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/13 18:33:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/07/13 08:05:32 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/07/12 07:57:14 | 000,000,000 | ---D | C] -- C:\Windows\TEMP
[2011/07/12 07:47:57 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/07/12 07:19:29 | 000,000,000 | ---D | C] -- C:\ComboFix
[2011/07/11 17:56:35 | 000,518,144 | R--- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/07/11 17:56:35 | 000,406,528 | R--- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/07/11 17:50:34 | 000,060,416 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/07/10 23:38:14 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Local\temp
[2011/07/04 12:30:29 | 000,056,400 | ---- | C] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/07/04 12:30:28 | 000,190,032 | ---- | C] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/07/03 12:48:48 | 000,000,000 | ---D | C] -- C:\Users\karoni\FrostWire
[2011/07/03 11:06:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup (Disabled by AnVir)
[2011/07/03 10:39:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AnVir Task Manager Free
[2011/07/03 10:39:02 | 000,000,000 | ---D | C] -- C:\Program Files\AnVir Task Manager Free
[2011/07/03 10:38:01 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Local\AnVir
[2011/07/02 13:53:31 | 000,870,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2011/07/02 13:53:27 | 000,288,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2011/07/02 13:53:24 | 000,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\prevhost.exe
[2011/07/02 13:51:29 | 000,027,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\Diskdump.sys
[2011/07/02 13:50:17 | 002,616,320 | ---- | C] (Microsoft Corporation) -- C:\Windows\explorer.exe
[2011/07/02 13:49:56 | 001,401,344 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssrch.dll
[2011/07/02 13:49:55 | 001,549,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tquery.dll
[2011/07/02 13:49:52 | 000,337,408 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssph.dll
[2011/07/02 13:49:47 | 000,666,624 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssvp.dll
[2011/07/02 13:49:45 | 000,197,120 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mssphtb.dll
[2011/07/02 13:49:43 | 000,059,392 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msscntrs.dll
[2011/06/28 19:28:12 | 000,000,000 | ---D | C] -- C:\Users\karoni\Desktop\log
[2011/06/24 18:14:16 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot - Search & Destroy 2
[2011/06/24 18:14:13 | 000,015,224 | ---- | C] (Safer Networking Limited) -- C:\Windows\System32\sdnclean.exe
[2011/06/24 18:13:35 | 000,770,384 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcr100.dll
[2011/06/24 18:13:35 | 000,421,200 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msvcp100.dll
[2011/06/24 18:08:52 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FrostWire
[2011/06/23 18:39:43 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Web Accelerator
[2011/06/23 18:28:00 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy 2
[2011/06/23 18:23:35 | 000,000,000 | ---D | C] -- C:\Users\karoni\AppData\Roaming\SUPERAntiSpyware.com
[2011/06/23 18:23:25 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
[2011/06/23 18:23:10 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/06/23 18:19:47 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/06/23 18:19:12 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/23 18:19:12 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/23 18:19:12 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/23 18:18:37 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2011/06/20 20:34:37 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2011/06/20 20:34:37 | 000,000,000 | ---D | C] -- C:\Program Files\Adobe
[2011/06/17 18:07:33 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2011/06/17 18:07:31 | 000,716,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript.dll
[2011/06/17 18:07:31 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2011/06/17 18:07:30 | 001,797,632 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2011/06/17 18:05:50 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010/10/13 19:17:07 | 000,047,360 | ---- | C] (VSO Software) -- C:\Users\karoni\AppData\Roaming\pcouffin.sys
[2010/09/03 22:07:39 | 003,063,561 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\MobileTV.exe
[2010/09/03 22:07:39 | 002,989,660 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\DVD.exe
[2010/09/03 22:07:38 | 002,864,396 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\MPV.exe
[2010/09/03 22:07:38 | 002,331,174 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\Karaoke.exe
[2010/09/03 22:07:37 | 002,231,606 | ---- | C] (Macromedia, Inc.) -- C:\ProgramData\Games.exe

========== Files - Modified Within 30 Days ==========

[2011/07/13 18:44:16 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1643368254-1818270169-1135579119-1000UA.job
[2011/07/13 18:44:09 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1643368254-1818270169-1135579119-1000Core.job
[2011/07/13 18:32:00 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/07/13 18:31:54 | 402,350,080 | -HS- | M] () -- C:\hiberfil.sys
[2011/07/13 18:31:05 | 000,010,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2011/07/13 18:31:05 | 000,010,048 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2011/07/13 07:23:15 | 000,132,597 | ---- | M] () -- C:\Users\karoni\Desktop\Flash_Disinfector.exe
[2011/07/13 06:15:06 | 000,293,977 | ---- | M] () -- C:\Users\karoni\Desktop\gmer.zip
[2011/07/12 18:00:02 | 000,000,446 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Registration3.job
[2011/07/11 22:51:22 | 162,372,208 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/07/11 22:36:18 | 000,000,606 | ---- | M] () -- C:\Users\karoni\Desktop\fsecuree
[2011/07/11 18:32:52 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/07/05 21:26:00 | 000,001,041 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\vso_ts_preview.xml
[2011/07/04 12:30:29 | 000,056,400 | ---- | M] (trend_company_name) -- C:\Windows\System32\drivers\tmrkb.sys
[2011/07/04 12:30:28 | 000,190,032 | ---- | M] (Trend Micro Inc.) -- C:\Windows\System32\drivers\tmcomm.sys
[2011/07/04 12:05:45 | 000,624,178 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/07/04 12:05:45 | 000,106,522 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/07/03 10:39:04 | 000,000,997 | ---- | M] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\AnVir Task Manager Free.lnk
[2011/07/03 10:39:03 | 000,001,039 | ---- | M] () -- C:\Users\Public\Desktop\AnVir Task Manager Free.lnk
[2011/07/02 17:35:22 | 000,389,408 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/06/30 17:54:24 | 000,012,660 | ---- | M] () -- C:\Users\karoni\Documents\cc_20110630_175401.reg
[2011/06/26 12:34:12 | 000,000,000 | ---- | M] () -- C:\Users\karoni\AppData\Roaming\.googlewebacchosts
[2011/06/26 02:45:56 | 000,256,000 | ---- | M] () -- C:\Windows\PEV.exe
[2011/06/24 18:14:15 | 000,002,123 | ---- | M] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2011/06/24 18:08:53 | 000,001,203 | ---- | M] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.21.8.lnk
[2011/06/24 18:08:52 | 000,001,179 | ---- | M] () -- C:\Users\karoni\Desktop\FrostWire 4.21.8.lnk
[2011/06/23 18:39:44 | 000,001,181 | ---- | M] () -- C:\Users\karoni\Desktop\Google Web Accelerator.lnk
[2011/06/23 18:23:27 | 000,001,965 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/06/23 18:18:49 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2011/06/23 18:18:49 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2011/06/23 18:18:48 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2011/06/23 18:18:46 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2011/06/23 18:16:26 | 000,404,640 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2011/06/20 20:35:20 | 000,001,989 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk

========== Files Created - No Company Name ==========

[2011/07/13 07:22:57 | 000,132,597 | ---- | C] () -- C:\Users\karoni\Desktop\Flash_Disinfector.exe
[2011/07/13 06:15:18 | 000,293,977 | ---- | C] () -- C:\Users\karoni\Desktop\gmer.zip
[2011/07/11 22:36:18 | 000,000,606 | ---- | C] () -- C:\Users\karoni\Desktop\fsecuree
[2011/07/11 17:56:39 | 000,208,896 | R--- | C] () -- C:\Windows\MBR.exe
[2011/07/11 17:56:35 | 000,098,816 | R--- | C] () -- C:\Windows\sed.exe
[2011/07/11 17:56:35 | 000,080,412 | R--- | C] () -- C:\Windows\grep.exe
[2011/07/11 17:56:35 | 000,068,096 | R--- | C] () -- C:\Windows\zip.exe
[2011/07/03 10:39:04 | 000,000,997 | ---- | C] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\AnVir Task Manager Free.lnk
[2011/07/03 10:39:02 | 000,001,039 | ---- | C] () -- C:\Users\Public\Desktop\AnVir Task Manager Free.lnk
[2011/06/30 17:54:17 | 000,012,660 | ---- | C] () -- C:\Users\karoni\Documents\cc_20110630_175401.reg
[2011/06/26 02:45:56 | 000,256,000 | ---- | C] () -- C:\Windows\PEV.exe
[2011/06/24 18:14:15 | 000,002,135 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Spybot-S&D Start Center.lnk
[2011/06/24 18:14:15 | 000,002,123 | ---- | C] () -- C:\Users\Public\Desktop\Spybot-S&D Start Center.lnk
[2011/06/24 18:08:53 | 000,001,203 | ---- | C] () -- C:\Users\karoni\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 4.21.8.lnk
[2011/06/24 18:08:52 | 000,001,179 | ---- | C] () -- C:\Users\karoni\Desktop\FrostWire 4.21.8.lnk
[2011/06/23 18:45:14 | 000,000,000 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\.googlewebacchosts
[2011/06/23 18:39:44 | 000,001,181 | ---- | C] () -- C:\Users\karoni\Desktop\Google Web Accelerator.lnk
[2011/06/23 18:23:27 | 000,001,965 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/06/20 20:35:19 | 000,002,441 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/20 20:35:19 | 000,001,989 | ---- | C] () -- C:\Users\Public\Desktop\Adobe Reader X.lnk
[2011/03/20 13:42:53 | 000,006,656 | ---- | C] () -- C:\Windows\System32\bcmwlrc.dll
[2010/12/22 21:22:02 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/11/09 21:50:41 | 000,000,017 | ---- | C] () -- C:\Users\karoni\AppData\Local\resmon.resmoncfg
[2010/10/13 19:17:07 | 000,007,887 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\pcouffin.cat
[2010/10/13 19:17:07 | 000,001,144 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\pcouffin.inf
[2010/10/10 18:19:03 | 000,001,041 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\vso_ts_preview.xml
[2010/10/10 11:22:41 | 000,000,039 | ---- | C] () -- C:\Windows\WININIT.INI
[2010/10/10 10:30:01 | 000,000,000 | ---- | C] () -- C:\Users\karoni\AppData\Roaming\wklnhst.dat
[2010/04/24 19:18:07 | 000,000,279 | ---- | C] () -- C:\ProgramData\hpqp.ini
[2010/04/24 18:48:38 | 000,021,316 | ---- | C] () -- C:\Windows\System32\emptyregdb.dat
[2010/04/17 17:01:27 | 000,000,000 | ---- | C] () -- C:\Windows\setup32.INI
[2010/02/12 23:21:31 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/07/14 00:57:37 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2009/07/14 00:33:53 | 000,389,408 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/07/13 22:05:48 | 000,624,178 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2009/07/13 22:05:48 | 000,291,294 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2009/07/13 22:05:48 | 000,106,522 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2009/07/13 22:05:48 | 000,031,548 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2009/07/13 22:05:05 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2009/07/13 22:04:11 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2009/07/13 19:55:01 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2009/07/13 19:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 19:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/10 17:26:10 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2006/11/06 07:02:10 | 000,204,800 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1114.dll
[2006/09/19 03:02:40 | 000,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/19 03:02:40 | 000,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/03/09 16:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll
[2004/09/16 16:24:26 | 003,375,104 | ---- | C] () -- C:\Windows\System32\qt-mt331.dll

========== Custom Scans ==========

< C:\Windows\System32\%APPDATA%\*.* /s >
[2011/06/17 18:35:19 | 000,016,384 | -HS- | M] () -- C:\Windows\System32\%APPDATA%\Microsoft\Windows\IETldCache\index.dat

< End of report >

Sorry about that. I guess i did goof. Hope this is good.

#13
michaelg9

Posted 14 July 2011 - 05:28 AM

Trusted Helper

Malware Removal
2,949 posts

Hello karonita

Sorry, I forgot to tell you to post the Extras log. When you last ran OTL, two logs should appear on your Desktop, OTL.txt and Extras.txt. Please post the Extras.txt log

Next:

Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next:

Perform a full scan with McAfee and post the log here

Next:

After these, tell me how's your computer working and if there are any other problems

#14
karonita

Posted 14 July 2011 - 04:10 PM

Member

Topic Starter
Member
50 posts

OTL Extras logfile created on: 7/13/2011 18:47:32 - Run 5
OTL by OldTimer - Version 3.2.26.0 Folder = C:\Users\karoni\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.62 Mb Total Physical Memory | 110.92 Mb Available Physical Memory | 21.68% Memory free
2.94 Gb Paging File | 1.89 Gb Available in Paging File | 64.29% Paging File free
Paging file location(s): c:\pagefile.sys 2500 2500 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 87.62 Gb Total Space | 65.27 Gb Free Space | 74.49% Space Free | Partition Type: NTFS
Drive D: | 5.54 Gb Total Space | 1.05 Gb Free Space | 18.92% Space Free | Partition Type: NTFS
Drive F: | 29.91 Gb Total Space | 25.91 Gb Free Space | 86.62% Space Free | Partition Type: FAT32

Computer Name: KARONI-PC | User Name: karoni | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"DoNotAllowExceptions" = 1
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" = C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe:*:Disabled:Spybot-S&D 2 Scanner Service -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDFWSvc.exe:*:Enabled:Spybot-S&D 2 Firewall service -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDMonSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDMonSvc.exe:*:Enabled:Spybot-S&D 2 On-Access monitor service -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDSODSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDSODSvc.exe:*:Enabled:Spybot-S&D 2 Scan On Demand service
"C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe:*:Enabled:Spybot-S&D 2 Tray Icon -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdate.exe:*:Enabled:Spybot-S&D 2 Updater -- (Safer-Networking Ltd.)
"C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe" = C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe:*:Enabled:Spybot-S&D 2 Background update service -- (Safer-Networking Ltd.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{02F33FB0-F7D5-4C0A-B4AD-8CE5CE230BBE}" = HP Wireless Assistant
"{10A44844-4465-456E-8C97-80BDD4F68845}" = Windows Live ID Sign-in Assistant
"{13A5E785-5197-4EAD-8EE3-D660271E49BC}" = Feedback Tool
"{15DD1D3C-8386-47D4-91A4-2D25FAFE1255}" = HP User Guide 0039
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{254C37AA-6B72-4300-84F6-98A82419187E}" = ActiveCheck component for HP Active Support Library
"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java™ 6 Update 26
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}" = Roxio MyDVD Basic v9
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.10 B9
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3CBF3EBB-235D-4c29-A68B-2BB1F428586E}" = ParetoLogic PC Health Advisor
"{40F7AED3-0C7D-4582-99F6-484A515C73F2}" = HP Easy Setup - Frontend
"{45D707E9-F3C4-11D9-A373-0050BAE317E1}" = HP DVD Play 3.7
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{612C34C7-5E90-47D8-9B5C-0F717DD82726}" = swMSM
"{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites
"{669D4A35-146B-4314-89F1-1AC3D7B88367}" = HPAsset component for HP Active Support Library
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{8C6027FD-53DC-446D-BB75-CACD7028A134}" = HP Update
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A12A3DED-CCDA-4F29-A1BA-00F0C6521CD5}" = HP Total Care Advisor
"{AB05F2C8-F608-403b-95E1-FD8ADFACD31E}" = Windows 7 Upgrade Advisor
"{AB5E289E-76BF-4251-9F3F-9B763F681AE0}" = HP Customer Experience Enhancements
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1" = Spybot - Search & Destroy 2
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.1.2.336
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F94234DB-FD06-42C3-B88D-6FC4DC9F988C}" = HP Easy Setup - Core
"{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}" = ASL_HS_Installer32
"{FE0646A7-19D0-41B4-A2BB-2C35D644270D}" = Windows Live OneCare safety scanner
"{FF2D46CF-122C-47D8-9846-037C59E7144D}" = Google Web Accelerator
"Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.6
"Akamai" = Akamai NetSession Interface
"AnVir Task Manager Free" = AnVir Task Manager Free
"AudibleManager" = AudibleManager
"Broadcom 802.11 Wireless LAN Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CCleaner" = CCleaner
"CNXT_MODEM_HDA_HSF" = HDAUDIO Soft Data Fax Modem with SmartCP
"CoreAAC" = CoreAAC
"DivX Setup.divx.com" = DivX Setup
"ESET Online Scanner" = ESET Online Scanner v3
"FileHippo.com" = FileHippo.com Update Checker
"FrostWire" = FrostWire 4.21.8
"GOM ENCODER" = GOM Encoder
"GOM Player" = GOM Player
"HDMI" = Intel® Graphics Media Accelerator Driver
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"HPOOVClient-3572475 Uninstaller" = Compaq Connections (remove only)
"IPP Run-Time 5.3" = IPP Run-Time 5.3
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MPEG2 Codec(libmpeg2/mad)" = MPEG2 Codec(libmpeg2/mad)
"MSC" = McAfee Total Protection
"Picasa 3" = Picasa 3
"QuickTime" = QuickTime
"SynTPDeinstKey" = Synaptics Pointing Device Driver

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >

This one is from last night. Im not seeing the one from this morning if there was one. I also did a search and this one only comes up

#15
karonita

Posted 14 July 2011 - 04:36 PM

Member

Topic Starter
Member
50 posts

Im doing the malwarebytes now but just had a question. Did you see anything so far? I know you had me remove stuff but were they malware related. A few scans in between the month i waited showed opencandy. But reading up on that it sounds like its a questionable installer. The next was Infected copy of: c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe And most recent:
Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\atapi.sys
.
.It running sluggish right now.

www.malwarebytes.org

Database version: 7141

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

7/14/2011 06:34:46
mbam-log-2011-07-14 (06-34-46).txt

Scan type: Quick scan
Objects scanned: 157495
Time elapsed: 13 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)