Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I suspect a malware in GNR.EXE or GRN.EXE files


  • Please log in to reply

#1
paulgleave

paulgleave

    Member

  • Member
  • PipPip
  • 49 posts
Hi Guys,
first thanks for the support, I found my computer was sluggish and opening my browser (google chrome) and displaying adds. I ran a McAfee anti virus scan and it found nothing. So I downloaded hijack this and did the scan and analysis then fixed what it had said. still had the problem so I activated the parental control on McAfee and it started to block the adds and gave me a file ending in GNR.EXE or a GRN.EXE file in my c: drive that was trying to access the internet. I tried to locate the file in the string of folders and even did a file search found nothing. I then was told to use spybot and destroy 1.6.2 and it found some issues and I did the fix problem thing. Now my adds are gone but when I use a search engine to do things and click a link it directs me to adds not the web pages I want - I had to click back and forth to get your page from the browser. I have de-fragmented & disk cleaned. and removed old programs and the computer is a little faster but still got the search engine problems.
I run XP home I have AMD 2.6 dual core processor, 1G ram not sure of what else.
Below is the report from OTL
Thanks again guys so happy to have support.
Regards
Paul
OTL Extras logfile created on: 20/07/2011 11:14:55 PM - Run 1
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Paul\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

959.48 Mb Total Physical Memory | 170.47 Mb Available Physical Memory | 17.77% Memory free
2.26 Gb Paging File | 1.15 Gb Available in Paging File | 51.07% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 118.59 Gb Total Space | 43.29 Gb Free Space | 36.50% Space Free | Partition Type: NTFS
Drive E: | 114.29 Gb Total Space | 72.48 Gb Free Space | 63.41% Space Free | Partition Type: NTFS

Computer Name: KOOROORA-61578C | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5353:TCP" = 5353:TCP:*:Enabled:Adobe CSI CS4
"1900:TCP" = 1900:TCP:LocalSubNet:Enabled:UDP 1900
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe" = C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater
"C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe" = C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process
"C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" = C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe:*:Enabled:Nokia Ovi Suite 2
"C:\Documents and Settings\Paul\Application Data\Dropbox\bin\Dropbox.exe" = C:\Documents and Settings\Paul\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox -- (Dropbox, Inc.)
"C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
"C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" = C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:*:Enabled:Adobe CSI CS4 -- (Adobe Systems Incorporated)
"C:\Program Files\Nokia\Nokia Home Media Server\Media Server\twonkymedia.exe" = C:\Program Files\Nokia\Nokia Home Media Server\Media Server\twonkymedia.exe:*:Disabled:TwonkyMedia
"C:\Program Files\Nokia\Nokia Home Media Server\Media Server\twonkymediaserver.exe" = C:\Program Files\Nokia\Nokia Home Media Server\Media Server\twonkymediaserver.exe:*:Disabled:TwonkyMediaServer


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{196467F1-C11F-4F76-858B-5812ADC83B94}" = MSXML 4.0 SP3 Parser
"{196BB40D-1578-3D01-B289-BEFC77A11A1E}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java™ 6 Update 26
"{27C467F8-F8EF-4f68-BD72-D63632B2096C}" = McAfee Online Backup
"{31A559C1-9E4D-423B-9DD3-34A6C5398752}" = HTC BMP USB Driver
"{3215EBED-1D06-42fb-A05C-A752A46FB24C}" = Canon MP530
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35DF5855-7594-43C3-9119-0975FDFF6551}" = Fruit Ninja Lite 1.6.1
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3B1329C8-C239-45F8-A4A7-E4477A9B0FED}" = Cogs GO Lite
"{3B345B4A-2E94-4346-A38F-17E1347A0DA7}" = HTC Sync
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F181B53-B319-470F-8AEE-97DEEE5CF651}" = Microsoft DirectX 9.0 SDK Update (October 2005)
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{45DF6D99-666D-41FA-8D62-0E183B6240F3}" = PC Connectivity Solution
"{467A73C0-B843-CF75-0587-3F5CC2FE1165}" = Wattpad
"{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}" = Adobe AIR
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4EA2D930-E542-8438-B5C0-F494AF7BB76B}" = Viking Defense
"{50063EEB-8CD5-4AA4-AA13-30699DD92629}" = Adobe Setup
"{527BBE2F-1FED-3D8B-91CB-4DB0F838E69E}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5BB770DE-19FF-4D71-A0E0-1F21E1847512}" = Adobe PDistiller
"{6D3245B1-8DB8-4A23-9CD2-2C90F40ABAF6}" = MSVC80_x86_v2
"{6D6664A9-3342-4948-9B7E-034EFE366F0F}" = HTC Driver Installer
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{6F8A6D44-5ABC-4C5A-9BD8-D6312EA1E9F8}" = BigPond Broadband ADSL
"{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83227C6D-EE12-44F2-9C50-BCB454F18C2C}" = Adobe Update Manager CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_OUTLOOKR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_OUTLOOKR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_OUTLOOKR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_OUTLOOKR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_OUTLOOKR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_OUTLOOKR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-001A-0000-0000-0000000FF1CE}" = Microsoft Office Outlook 2007
"{91120000-001A-0000-0000-0000000FF1CE}_OUTLOOKR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-001A-0000-0000-0000000FF1CE}_OUTLOOKR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{9292B96D-B693-4F07-B5FE-21CCDC7CB4AF}" = Nokia Photos
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{957645C3-8003-465B-839E-AFF5A5824B35}" = e-Sword
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A6EC82A0-1414-475D-8AFD-469089F3080D}" = Adobe Contribute CS4
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9F6CFB0-806D-11E0-8EA1-B8AC6F97B88E}" = Google Earth Plug-in
"{AC30CF7C-2D62-4910-9147-3EC8EA5EB6D1}" = Angry Birds
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.0)
"{AF111648-99A1-453E-81DD-80DBBF6DAD0D}" = MSVC90_x86
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CFF4500E-C5D6-695D-A027-B3D4DDED2CC3}" = McAfee Online Backup
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.2
"{E438C007-528B-4C5B-BDE0-CDA428460B50}" = BE4 Deluxe
"{E4423F16-0E98-4855-BFF4-3EF016C55D67}" = Nokia_Multimedia_Common_Components_2_5
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"0D5BC5DD5940677F9B5623C12951388F5EF72436" = Windows Driver Package - NETGEAR Inc. (RTLWUSB) Net (02/07/2007 5.1283.0207.2007)
"504244733D18C8F63FF584AEB290E3904E791693" = Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
"53F13DB4D9611FD63BE580F06F0729BF236ABE68" = Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
"84261EAEDFA5240ACFFEDFB145134E295B649795" = Windows Driver Package - Thomson (USB_RNDIS) Net (02/16/2004 1.0.0.3)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Photoshop Elements 6" = Adobe Photoshop Elements 6.0
"Adobe_4c96cd7621076512aaef5e76536b4ef" = Adobe Contribute CS4
"AVS Video Editor_is1" = AVS Video Editor 5
"BE4 Deluxe" = BE4 Deluxe
"com.miniclip.vikingdefense.none" = Viking Defense
"DVD Shrink_is1" = DVD Shrink 3.2
"EDE780BB5DCF2C3476C105BAE4CC1175516E9173" = Windows Driver Package - NETGEAR (W8335XP) Net (02/22/2005 3.1.1.7)
"ie8" = Windows Internet Explorer 8
"InstallShield_{70F8B183-99EB-4304-BA35-080E2DFFD2A3}" = Age of Empires III
"Intel AppUp(SM) center 18988" = Intel AppUp(SM) center
"McAfee Security Scan" = McAfee Security Scan Plus
"McAfee Virtual Technician" = McAfee Virtual Technician
"MediaNavigation.CDLabelPrint" = CD-LabelPrint
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"MP Navigator 2.2" = Canon MP Navigator 2.2
"MSC" = McAfee Total Protection
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"OUTLOOKR" = Microsoft Office Outlook 2007
"SoundTaxi_is1" = SoundTaxi 4.1.8
"Wattpad.none" = Wattpad
"Wdf01007" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Facebook Plug-In" = Facebook Plug-In
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 19/07/2011 7:07:01 PM | Computer Name = KOOROORA-61578C | Source = Application Error | ID = 1001
Description = Fault bucket -1767636617.

Error - 20/07/2011 3:30:52 AM | Computer Name = KOOROORA-61578C | Source = Microsoft Office 12 | ID = 2001
Description = Rejected Safe Mode action : Microsoft Office Outlook.

Error - 20/07/2011 5:10:26 AM | Computer Name = KOOROORA-61578C | Source = Application Hang | ID = 1002
Description = Hanging application SpybotSD.exe, version 1.6.2.46, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 20/07/2011 5:52:06 AM | Computer Name = KOOROORA-61578C | Source = OviSuite | ID = 1
Description =

Error - 20/07/2011 5:52:07 AM | Computer Name = KOOROORA-61578C | Source = OviSuite | ID = 1
Description =

Error - 20/07/2011 5:52:07 AM | Computer Name = KOOROORA-61578C | Source = OviSuite | ID = 1
Description =

Error - 20/07/2011 5:52:07 AM | Computer Name = KOOROORA-61578C | Source = OviSuite | ID = 1
Description =

Error - 20/07/2011 5:52:07 AM | Computer Name = KOOROORA-61578C | Source = OviSuite | ID = 1
Description =

Error - 20/07/2011 8:02:53 AM | Computer Name = KOOROORA-61578C | Source = MsiInstaller | ID = 11500
Description = Product: Java™ 6 Update 26 -- Error 1500.Another installation is
in progress. You must complete that installation before continuing this one.

Error - 20/07/2011 9:00:38 AM | Computer Name = KOOROORA-61578C | Source = Windows Search Service | ID = 3024
Description = The update cannot be started because the content sources cannot be
accessed. Fix the errors and try the update again. Context: Windows Application,
SystemIndex Catalog

[ System Events ]
Error - 20/07/2011 8:07:07 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 20/07/2011 8:07:07 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 20/07/2011 8:07:07 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 20/07/2011 8:07:07 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 20/07/2011 8:07:07 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 20/07/2011 8:07:08 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 20/07/2011 8:07:08 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 20/07/2011 8:07:08 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 20/07/2011 8:07:08 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126

Error - 20/07/2011 8:07:08 AM | Computer Name = KOOROORA-61578C | Source = Service Control Manager | ID = 7023
Description = The Application Management service terminated with the following error:
%%126


< End of report >
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,007 posts
  • MVP
Need your OTL log. You posted the Extras log.

Also:

Download TDSSKiller:
http://support.kaspe.../tdsskiller.exe
Save it to your desktop then run it.
Double click on TDSSKiller.exe
If TDSSKiller alerts you that the system needs to reboot, please consent.
When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.


Download aswMBR.exe ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan


On completion of the scan (Note if the Fix button is enabled and tell me) click save log, save it to your desktop and post in your next reply

Ron
  • 0

#3
paulgleave

paulgleave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Ron,
first task 1. - Thanks again for the help I downloaded tdsskiller but it only let me run the program not save to the desk top. It also has not saved to all programs so not sure were it is. here is the log note pad it opened when it finished its scan. I tried searching my C: drive and cut and paste the file you asked to look for and its not in the drive.


2011/07/21 09:14:15.0937 1244 TDSS rootkit removing tool 2.5.11.0 Jul 11 2011 16:56:56
2011/07/21 09:14:17.0765 1244 ================================================================================
2011/07/21 09:14:17.0765 1244 SystemInfo:
2011/07/21 09:14:17.0765 1244
2011/07/21 09:14:17.0765 1244 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/21 09:14:17.0765 1244 Product type: Workstation
2011/07/21 09:14:17.0765 1244 ComputerName: KOOROORA-61578C
2011/07/21 09:14:17.0765 1244 UserName: Paul
2011/07/21 09:14:17.0765 1244 Windows directory: C:\WINDOWS
2011/07/21 09:14:17.0765 1244 System windows directory: C:\WINDOWS
2011/07/21 09:14:17.0765 1244 Processor architecture: Intel x86
2011/07/21 09:14:17.0765 1244 Number of processors: 2
2011/07/21 09:14:17.0765 1244 Page size: 0x1000
2011/07/21 09:14:17.0765 1244 Boot type: Normal boot
2011/07/21 09:14:17.0765 1244 ================================================================================
2011/07/21 09:14:19.0437 1244 Initialize success
2011/07/21 09:14:35.0109 1832 ================================================================================
2011/07/21 09:14:35.0109 1832 Scan started
2011/07/21 09:14:35.0109 1832 Mode: Manual;
2011/07/21 09:14:35.0109 1832 ================================================================================
2011/07/21 09:14:36.0187 1832 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/21 09:14:36.0328 1832 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/07/21 09:14:36.0437 1832 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/21 09:14:36.0578 1832 AF15BDA (e3f08935158038d385ad382442f4bb2d) C:\WINDOWS\system32\DRIVERS\AF15BDA.sys
2011/07/21 09:14:37.0031 1832 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/21 09:14:37.0390 1832 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2011/07/21 09:14:37.0890 1832 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/21 09:14:37.0937 1832 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/21 09:14:38.0046 1832 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/21 09:14:38.0109 1832 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/21 09:14:38.0218 1832 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/21 09:14:38.0265 1832 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/07/21 09:14:38.0328 1832 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
2011/07/21 09:14:38.0390 1832 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/07/21 09:14:38.0453 1832 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/07/21 09:14:38.0531 1832 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/07/21 09:14:38.0578 1832 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/21 09:14:38.0640 1832 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/21 09:14:38.0734 1832 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/21 09:14:38.0796 1832 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/21 09:14:38.0843 1832 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/21 09:14:39.0015 1832 cfwids (ecaf4a51580244fef1aa32cb984f13bf) C:\WINDOWS\system32\drivers\cfwids.sys
2011/07/21 09:14:39.0328 1832 cmusbnet (d57d7cd061dbd3eaffd2c662773dd2c6) C:\WINDOWS\system32\DRIVERS\cmusbnet.sys
2011/07/21 09:14:39.0687 1832 cmusbser (631155ce46b7da2aac47eedf7ee42ebe) C:\WINDOWS\system32\DRIVERS\cmusbser.sys
2011/07/21 09:14:40.0062 1832 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/21 09:14:40.0187 1832 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/21 09:14:40.0328 1832 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/21 09:14:40.0421 1832 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/21 09:14:40.0468 1832 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/21 09:14:40.0562 1832 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/21 09:14:40.0671 1832 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/21 09:14:40.0718 1832 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/07/21 09:14:40.0781 1832 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/21 09:14:40.0875 1832 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/07/21 09:14:40.0921 1832 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/07/21 09:14:41.0000 1832 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/21 09:14:41.0046 1832 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/21 09:14:41.0078 1832 gdrv (54789f9ba0d59072cdd4e7c200e122c4) C:\WINDOWS\gdrv.sys
2011/07/21 09:14:41.0359 1832 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/21 09:14:41.0515 1832 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/21 09:14:41.0625 1832 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/21 09:14:41.0781 1832 HTCAND32 (cbd09ed9cf6822177ee85aea4d8816a2) C:\WINDOWS\system32\Drivers\ANDROIDUSB.sys
2011/07/21 09:14:41.0968 1832 htcnprot (04e3b3554076b8192a668efe88a682a1) C:\WINDOWS\system32\DRIVERS\htcnprot.sys
2011/07/21 09:14:42.0250 1832 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/21 09:14:42.0562 1832 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/21 09:14:42.0640 1832 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/21 09:14:42.0953 1832 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/07/21 09:14:43.0375 1832 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/07/21 09:14:43.0468 1832 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/21 09:14:43.0578 1832 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/21 09:14:43.0687 1832 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/21 09:14:43.0812 1832 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/21 09:14:43.0984 1832 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/21 09:14:44.0078 1832 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/21 09:14:44.0265 1832 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/21 09:14:44.0437 1832 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/07/21 09:14:44.0546 1832 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/21 09:14:44.0671 1832 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/21 09:14:44.0937 1832 mfeapfk (688b626fca708ee9eb161cad1f7363a9) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/07/21 09:14:45.0000 1832 mfeavfk (693a8d924b640223974e0a88f2baf0f4) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/07/21 09:14:45.0078 1832 mfebopk (52c40d19873528bd15823c969d3ad227) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/07/21 09:14:45.0328 1832 mfefirek (e37b98d49df546f4059483d49e349a53) C:\WINDOWS\system32\drivers\mfefirek.sys
2011/07/21 09:14:45.0609 1832 mfehidk (44184f32392fa2e94d08d056ce750d56) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/07/21 09:14:46.0000 1832 mfendisk (8c434d77c7a8cd97f8f4c2b0be19d541) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/07/21 09:14:46.0140 1832 mfendiskmp (8c434d77c7a8cd97f8f4c2b0be19d541) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/07/21 09:14:46.0218 1832 mferkdet (5f5313bfd1e73233885a26ab77488f6f) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/07/21 09:14:46.0281 1832 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2011/07/21 09:14:46.0531 1832 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2011/07/21 09:14:46.0718 1832 mfetdi2k (8d1a44e1f46bcf4acfe9c701edd340e3) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2011/07/21 09:14:46.0875 1832 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/21 09:14:46.0968 1832 MOBKFilter (e896775837a8bce436348df460522394) C:\WINDOWS\system32\DRIVERS\MOBK.sys
2011/07/21 09:14:47.0531 1832 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/21 09:14:47.0687 1832 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/21 09:14:47.0796 1832 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/21 09:14:47.0968 1832 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/21 09:14:48.0093 1832 MPE (83eff7b976ae24f1a496ca94a8a19919) C:\WINDOWS\system32\DRIVERS\MPE.sys
2011/07/21 09:14:48.0343 1832 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/21 09:14:48.0468 1832 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/21 09:14:49.0093 1832 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/21 09:14:49.0218 1832 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/21 09:14:49.0375 1832 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/21 09:14:49.0500 1832 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/21 09:14:49.0687 1832 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/21 09:14:49.0875 1832 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/21 09:14:50.0156 1832 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/21 09:14:50.0687 1832 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/21 09:14:51.0000 1832 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/21 09:14:51.0171 1832 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/21 09:14:51.0328 1832 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/21 09:14:51.0437 1832 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/21 09:14:51.0578 1832 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/21 09:14:51.0718 1832 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/21 09:14:51.0953 1832 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/21 09:14:52.0046 1832 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/21 09:14:52.0140 1832 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/21 09:14:52.0250 1832 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/21 09:14:52.0421 1832 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/21 09:14:52.0671 1832 nv (eb2858f920b8135b807b5ccaa3ed73dc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/07/21 09:14:53.0296 1832 nvata (ef9941593b2e9b436f64a87ddb570d1a) C:\WINDOWS\system32\DRIVERS\nvata.sys
2011/07/21 09:14:53.0625 1832 NVENETFD (0ae6258709d58fb53638e8d28f4480d4) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
2011/07/21 09:14:54.0125 1832 nvnetbus (1296b33c223a58485d5eaa779752216a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
2011/07/21 09:14:54.0515 1832 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/21 09:14:54.0593 1832 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/21 09:14:54.0765 1832 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/07/21 09:14:54.0859 1832 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/21 09:14:55.0000 1832 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/21 09:14:55.0328 1832 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
2011/07/21 09:14:55.0671 1832 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
2011/07/21 09:14:56.0156 1832 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/21 09:14:56.0453 1832 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/21 09:14:56.0562 1832 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/21 09:14:57.0031 1832 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/21 09:14:57.0250 1832 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/07/21 09:14:57.0437 1832 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/21 09:14:57.0562 1832 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/21 09:14:57.0734 1832 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/07/21 09:14:58.0250 1832 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/21 09:14:58.0437 1832 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/21 09:14:58.0546 1832 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/21 09:14:58.0671 1832 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/21 09:14:58.0796 1832 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/21 09:14:58.0953 1832 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/21 09:14:59.0062 1832 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/21 09:14:59.0203 1832 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/21 09:14:59.0265 1832 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/07/21 09:14:59.0437 1832 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/21 09:14:59.0734 1832 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/07/21 09:14:59.0843 1832 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/07/21 09:14:59.0968 1832 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/21 09:15:00.0109 1832 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/21 09:15:00.0312 1832 SndTAudio (e407af3038f08d1b68a58ad9956b191e) C:\WINDOWS\system32\drivers\SndTAudio.sys
2011/07/21 09:15:00.0671 1832 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/21 09:15:00.0734 1832 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/21 09:15:00.0812 1832 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/21 09:15:01.0109 1832 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/21 09:15:01.0343 1832 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/21 09:15:01.0484 1832 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/21 09:15:01.0984 1832 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/21 09:15:02.0093 1832 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/21 09:15:02.0265 1832 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/21 09:15:02.0406 1832 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/21 09:15:02.0500 1832 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/21 09:15:02.0843 1832 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/21 09:15:03.0078 1832 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/21 09:15:03.0265 1832 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/07/21 09:15:03.0406 1832 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/21 09:15:03.0609 1832 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/21 09:15:03.0703 1832 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/21 09:15:03.0875 1832 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2011/07/21 09:15:04.0000 1832 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/07/21 09:15:04.0203 1832 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/07/21 09:15:04.0375 1832 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
2011/07/21 09:15:04.0531 1832 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/21 09:15:04.0640 1832 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/07/21 09:15:04.0734 1832 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/21 09:15:04.0843 1832 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/21 09:15:04.0953 1832 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/21 09:15:05.0046 1832 wceusbsh (4c0b8ef721783f52f8e531fbdc4b1f74) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
2011/07/21 09:15:05.0171 1832 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/07/21 09:15:05.0796 1832 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/21 09:15:06.0000 1832 WpdUsb (c60dc16d4e406810fad54b98dc92d5ec) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/07/21 09:15:06.0562 1832 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/21 09:15:06.0734 1832 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/21 09:15:06.0859 1832 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/21 09:15:06.0968 1832 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/07/21 09:15:07.0218 1832 Boot (0x1200) (a6ef7b6e2d8d90718032f0ce916acd56) \Device\Harddisk0\DR0\Partition0
2011/07/21 09:15:07.0250 1832 Boot (0x1200) (57d28f1894161d5c50785a6ed55802dd) \Device\Harddisk0\DR0\Partition1
2011/07/21 09:15:07.0250 1832 ================================================================================
2011/07/21 09:15:07.0250 1832 Scan finished
2011/07/21 09:15:07.0250 1832 ================================================================================
2011/07/21 09:15:07.0265 5480 Detected object count: 0
2011/07/21 09:15:07.0265 5480 Actual detected object count: 0

Second task 2. - I have downloaded the aswMBR.exe and the fix button was not enabled but I did the scan and here is the results I saved to my desktop.

11:54:49.734 OS Version: Windows 5.1.2600 Service Pack 3
11:54:49.734 Number of processors: 2 586 0x4B02
11:54:49.734 ComputerName: KOOROORA-61578C UserName: Paul
11:54:50.718 Initialize success
11:55:20.093 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c
11:55:20.093 Disk 0 Vendor: WDC_WD2500JB-00REA0 20.00K20 Size: 238474MB BusType: 3
11:55:20.109 Disk 0 MBR read successfully
11:55:20.109 Disk 0 MBR scan
11:55:20.109 Disk 0 Windows XP default MBR code
11:55:20.109 Disk 0 scanning sectors +488392065
11:55:20.171 Disk 0 scanning C:\WINDOWS\system32\drivers
11:55:36.265 Service scanning
11:55:37.968 Disk 0 trace - called modules:
11:55:37.984 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
11:55:37.984 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8638fab8]
11:55:37.984 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\00000066[0x864219e8]
11:55:37.984 5 ACPI.sys[f735e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-c[0x86371d98]
11:55:37.984 Scan finished successfully
11:56:02.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Paul\Desktop\MBR.dat"
11:56:02.859 The log file has been saved successfully to "C:\Documents and Settings\Paul\Desktop\aswMBR.txt"

Thanks again for the support I hope I have followed as you asked. I'm not much of a geek..lol
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,007 posts
  • MVP
Still need your OTL log

Ron
  • 0

#5
paulgleave

paulgleave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Ron
I have run OTL again and this is the file the log opened when it was finished is this it? im so sorry to have messed you around. by the way it seams to only be happening to google search engines. I tried bing and all good with that. thanks again
OTL logfile created on: 21/07/2011 12:45:47 PM - Run 2
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Paul\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

959.48 Mb Total Physical Memory | 318.91 Mb Available Physical Memory | 33.24% Memory free
2.26 Gb Paging File | 1.32 Gb Available in Paging File | 58.21% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 118.59 Gb Total Space | 44.03 Gb Free Space | 37.13% Space Free | Partition Type: NTFS
Drive E: | 114.29 Gb Total Space | 72.48 Gb Free Space | 63.42% Space Free | Partition Type: NTFS

Computer Name: KOOROORA-61578C | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/20 23:14:38 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\My Documents\Downloads\OTL.exe
PRC - [2011/07/09 14:21:19 | 001,012,792 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/06/18 00:03:02 | 000,272,528 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe
PRC - [2011/05/26 05:37:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Paul\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/05/25 21:24:16 | 001,306,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/03/08 15:23:54 | 000,585,728 | ---- | M] () -- C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/12/01 23:56:40 | 000,574,216 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelAppStore\bin\serviceManager.exe
PRC - [2010/09/16 14:06:22 | 000,080,896 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
PRC - [2010/08/23 16:58:06 | 001,531,904 | ---- | M] (Nokia) -- C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
PRC - [2010/06/22 13:22:52 | 000,138,752 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe
PRC - [2010/06/14 14:07:14 | 000,615,936 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
PRC - [2010/05/11 10:11:58 | 000,134,144 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclMSBTSrv.exe
PRC - [2010/04/13 20:11:16 | 003,045,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKstat.exe
PRC - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2009/10/27 09:15:02 | 000,120,832 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe
PRC - [2009/01/26 15:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 09:42:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/05/10 22:46:20 | 000,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2011/07/20 23:14:38 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\My Documents\Downloads\OTL.exe
MOD - [2011/04/08 16:56:28 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/24 01:42:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (STSService)
SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/07/18 14:02:32 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/06/18 00:03:02 | 000,237,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService)
SRV - [2011/04/01 01:47:32 | 000,745,472 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\System32\GSService.exe -- (GSService)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/02/16 09:37:38 | 000,245,760 | ---- | M] (SMServer) [Disabled | Stopped] -- C:\WINDOWS\System32\snmvtsvc.exe -- (SMServer)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/09/16 14:06:22 | 000,080,896 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
SRV - [2010/06/14 14:07:14 | 000,615,936 | ---- | M] (Nokia) [On_Demand | Running] -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)


========== Driver Services (SafeList) ==========

DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,089,368 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2011/02/17 01:22:00 | 000,023,608 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SndTAudio.sys -- (SndTAudio)
DRV - [2010/11/29 10:21:05 | 000,483,200 | ---- | M] (ITETech ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AF15BDA.SYS -- (AF15BDA)
DRV - [2010/06/22 18:01:50 | 000,021,248 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot)
DRV - [2010/04/13 20:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/09/16 09:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/08/13 18:41:07 | 000,015,600 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/07/13 16:25:22 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2007/06/22 09:54:32 | 000,087,424 | ---- | M] (Cmotech Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmusbnet.sys -- (cmusbnet) WAN Driver @ 3GPP (6280)
DRV - [2006/12/13 18:31:56 | 000,087,040 | ---- | M] (Cmotech Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmusbser.sys -- (cmusbser)
DRV - [2006/11/27 16:33:54 | 000,019,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/11/27 16:33:50 | 000,058,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/10/18 16:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/06/18 23:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/09/23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/07/09 04:26:38 | 000,015,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.telstra.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT: C:\Program Files\McAfee\Supportability\MVT\NPMVTPlugin.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\Paul\Application Data\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/25 20:10:53 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2006/02/28 21:30:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110625171636.dll (McAfee, Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [HTC Sync Loader] C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe ()
O4 - HKLM..\Run: [Intel AppUp(SM) center] C:\Program Files\Intel\IntelAppStore\bin\serviceManager.lnk ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [RestartNeroSetup] File not found
O4 - HKCU..\Run: [8DDYX0ZBPZ] File not found
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] File not found
O4 - HKCU..\Run: [BitTorrent] File not found
O4 - HKCU..\Run: [NtWqIVLZEWZU] File not found
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk = C:\Program Files\McAfee Online Backup\MOBKstat.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\Paul\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Paul\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()
O9 - Extra 'Tools' menuitem : Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: internet ([]about in Local intranet)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Local intranet)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Local intranet)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.138
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/13 18:22:03 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\Shell - "" = AutoRun
O33 - MountPoints2\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/21 01:11:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/07/20 22:50:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Windows Search
[2011/07/20 22:29:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Windows Desktop Search
[2011/07/20 22:19:23 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2011/07/20 22:19:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/07/20 21:33:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/07/20 18:38:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/07/20 18:37:58 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/07/20 18:37:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/07/20 18:32:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2011/07/20 18:08:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2011/07/20 18:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
[2011/07/20 18:08:18 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2011/07/20 16:53:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2011/07/20 16:46:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Citrix
[2011/07/20 16:41:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\McAfee
[2011/07/19 11:49:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Start Menu\Programs\HiJackThis
[2011/07/19 11:49:25 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/07/18 22:51:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/07/18 20:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Nero_AG
[2011/07/18 20:06:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\BitTorrent
[2011/07/18 19:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\My Documents\AVS4YOU
[2011/07/18 17:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Library
[2011/07/18 17:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\com.adobe.ExMan
[2011/07/18 16:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\PCHealth
[2011/07/18 15:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft Help
[2011/07/18 15:40:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2011/07/18 12:46:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Nero
[2011/07/18 12:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Nero
[2011/07/18 12:27:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2011/07/14 18:47:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2011/07/14 17:20:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA
[2011/07/07 20:59:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\com.miniclip.vikingdefense
[2011/07/07 20:58:51 | 000,000,000 | ---D | C] -- C:\Program Files\vikingdefense
[2011/07/02 14:23:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Lazy 8 Studios
[2011/07/02 14:22:36 | 000,000,000 | ---D | C] -- C:\Program Files\Lazy 8 Studios
[2011/07/01 19:22:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Dropbox
[2011/06/21 13:29:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/21 12:34:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1450960922-2146968213-1004UA.job
[2011/07/21 12:29:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/21 11:56:02 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\MBR.dat
[2011/07/21 08:34:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1450960922-2146968213-1004Core.job
[2011/07/21 07:40:58 | 000,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/07/21 07:40:47 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/21 07:40:46 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-725345543-1450960922-2146968213-1004.job
[2011/07/21 01:11:44 | 000,000,312 | ---- | M] () -- C:\WINDOWS\tasks\Vddxa.job
[2011/07/21 01:11:42 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/21 01:06:22 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/20 22:19:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/20 22:19:41 | 000,001,787 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2011/07/20 22:19:33 | 000,505,546 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/20 22:19:33 | 000,087,530 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/20 20:49:45 | 000,001,676 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\e-Sword.lnk
[2011/07/20 20:36:21 | 000,000,147 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/07/20 19:26:39 | 000,000,844 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Photoshop Elements 6.0.lnk
[2011/07/20 19:25:33 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\DVD Shrink 3.2.lnk
[2011/07/20 19:25:16 | 000,000,991 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Dropbox.lnk
[2011/07/20 19:17:15 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\HiJackThis.lnk
[2011/07/20 18:38:13 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/20 18:08:44 | 000,001,801 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/07/20 18:00:01 | 000,000,440 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2011/07/20 17:01:06 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/07/20 10:45:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/20 08:37:05 | 000,000,378 | ---- | M] () -- C:\WINDOWS\tasks\DriverCure.job
[2011/07/20 00:49:23 | 000,026,678 | ---- | M] () -- C:\WINDOWS\MOBK.blk
[2011/07/20 00:49:22 | 000,000,330 | ---- | M] () -- C:\WINDOWS\MOBK.flt
[2011/07/19 17:54:46 | 000,290,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/18 22:47:03 | 000,062,464 | RHS- | M] () -- C:\WINDOWS\System32\userinitm.dll
[2011/07/18 20:43:08 | 000,000,570 | ---- | M] () -- C:\WINDOWS\tasks\burn notice.job
[2011/07/18 20:17:07 | 000,018,432 | ---- | M] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/18 16:09:36 | 000,002,343 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Angry Birds.lnk
[2011/07/18 13:20:15 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/07/18 13:15:36 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/07/18 13:15:36 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/07/17 03:58:02 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job
[2011/07/15 13:28:40 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Cogs GO Lite.lnk
[2011/07/15 10:46:20 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Fruit Ninja Lite.lnk
[2011/07/15 09:36:11 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/07/14 14:38:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-1450960922-2146968213-1004.job
[2011/07/07 20:58:54 | 000,000,680 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\vikingdefense.lnk
[2011/07/07 18:02:35 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2011/06/30 19:45:00 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/21 11:56:02 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\MBR.dat
[2011/07/21 00:35:26 | 000,323,638 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1450960922-2146968213-1004-0.dat
[2011/07/20 22:19:41 | 000,001,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2011/07/20 22:19:41 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2011/07/20 20:49:45 | 000,001,676 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\e-Sword.lnk
[2011/07/20 19:30:18 | 000,323,638 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/07/20 19:26:39 | 000,000,844 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Photoshop Elements 6.0.lnk
[2011/07/20 19:25:33 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\DVD Shrink 3.2.lnk
[2011/07/20 19:25:16 | 000,000,991 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Dropbox.lnk
[2011/07/20 19:17:15 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\HiJackThis.lnk
[2011/07/20 19:10:27 | 000,000,147 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/07/20 18:38:13 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/20 18:08:29 | 000,001,801 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/07/20 16:41:29 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Virtual Technician.lnk
[2011/07/19 12:36:22 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2011/07/18 22:47:08 | 000,000,312 | ---- | C] () -- C:\WINDOWS\tasks\Vddxa.job
[2011/07/18 22:47:02 | 000,062,464 | RHS- | C] () -- C:\WINDOWS\System32\userinitm.dll
[2011/07/18 20:22:37 | 000,000,570 | ---- | C] () -- C:\WINDOWS\tasks\burn notice.job
[2011/07/18 15:48:33 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/07/18 14:09:09 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Bridge CS4.lnk
[2011/07/18 14:04:30 | 000,001,002 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Extension Manager CS4.lnk
[2011/07/18 14:03:12 | 000,001,104 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe ExtendScript Toolkit CS4.lnk
[2011/07/18 13:15:45 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\Paul\Start Menu\Programs\Windows Media Player.lnk
[2011/07/07 20:58:54 | 000,000,686 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\vikingdefense.lnk
[2011/07/07 20:58:53 | 000,000,680 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\vikingdefense.lnk
[2011/07/02 14:22:55 | 000,002,473 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Cogs GO Lite.lnk
[2011/07/02 14:22:55 | 000,002,018 | ---- | C] () -- C:\Documents and Settings\Paul\Start Menu\Programs\Cogs GO Lite.lnk
[2011/06/30 19:10:22 | 000,000,991 | ---- | C] () -- C:\Documents and Settings\Paul\Start Menu\Programs\Startup\Dropbox.lnk
[2011/06/30 19:10:22 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk
[2011/06/24 17:10:37 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/17 20:48:54 | 000,060,424 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/04/28 20:04:58 | 000,745,472 | ---- | C] () -- C:\WINDOWS\System32\GSService.exe
[2010/10/10 14:41:24 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\systeminfo.dll
[2010/10/10 14:41:13 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/10/10 14:40:12 | 000,000,140 | ---- | C] () -- C:\WINDOWS\System32\AF15IRTBL.bin
[2010/07/08 11:51:42 | 001,161,696 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/02/08 08:33:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/11 21:05:09 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/11/22 18:21:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Biblica.ini
[2009/09/29 16:20:00 | 000,018,432 | ---- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/31 13:00:22 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\WBCustomizer.dll
[2009/08/31 13:00:21 | 000,185,344 | ---- | C] () -- C:\WINDOWS\System32\MemWarp.dll
[2009/08/30 17:12:35 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/26 21:44:55 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/08/14 03:23:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/14 03:21:29 | 000,290,888 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/13 18:54:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/13 18:32:57 | 000,001,732 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2009/08/13 18:25:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/08/13 18:18:03 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/01/15 03:31:00 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/10/31 16:05:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/31 16:05:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/10/31 16:05:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/31 16:05:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/10/31 16:05:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/31 16:05:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/31 16:05:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/31 16:05:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/10/31 16:05:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/10/31 16:05:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/31 16:05:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/02/28 21:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 21:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 21:30:00 | 000,505,546 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 21:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 21:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 21:30:00 | 000,087,530 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 21:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 21:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 21:30:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 21:30:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 21:30:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 21:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

========== LOP Check ==========

[2010/11/15 10:31:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Age of Empires 3
[2011/07/18 12:44:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BlazeVideo
[2009/08/18 08:16:34 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\CanonBJ
[2011/07/20 16:53:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/11/02 10:51:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DriverCure
[2010/02/18 14:47:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Installations
[2009/10/19 15:32:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MSScanAppDataDir
[2009/08/17 22:08:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Nokia
[2010/08/10 15:38:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaInstallerCache
[2009/08/17 20:12:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NokiaMusic
[2010/02/18 15:28:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\OviInstallerCache
[2010/11/02 11:07:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\ParetoLogic
[2009/08/17 20:16:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PC Suite
[2011/04/30 14:57:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TFT-DemoAppUp
[2010/04/18 22:15:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WORDsearch
[2010/04/18 22:09:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\wsc
[2011/06/17 20:47:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2010/04/18 22:13:25 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{737CF3DA-81A9-45D2-84EA-B73998F39342}
[2011/07/18 20:12:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\BitTorrent
[2011/05/08 13:01:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Canon
[2011/07/18 17:18:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\com.adobe.ExMan
[2011/07/18 22:51:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/07/07 20:59:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\com.miniclip.vikingdefense
[2010/11/01 21:21:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\DriverCure
[2011/07/21 07:44:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Dropbox
[2010/03/25 10:16:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Facebook
[2011/04/28 20:06:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\GetRightToGo
[2011/05/16 18:10:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\HTC
[2011/05/16 19:58:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
[2011/07/02 14:23:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Lazy 8 Studios
[2010/05/14 18:39:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\LG Electronics
[2011/07/20 19:22:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Nokia
[2010/08/10 15:56:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Nokia Ovi Suite
[2009/08/17 22:02:24 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Nseries
[2011/05/23 18:38:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Outlook
[2010/02/19 13:30:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\PC Suite
[2011/04/27 18:52:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\RegistryKeys
[2011/04/22 23:09:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Rovio
[2011/07/20 22:29:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Windows Desktop Search
[2011/07/20 22:50:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Paul\Application Data\Windows Search
[2011/07/18 20:43:08 | 000,000,570 | ---- | M] () -- C:\WINDOWS\Tasks\burn notice.job
[2011/07/20 08:37:05 | 000,000,378 | ---- | M] () -- C:\WINDOWS\Tasks\DriverCure.job
[2011/07/20 18:00:01 | 000,000,440 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Registration.job
[2011/07/17 03:58:02 | 000,000,414 | ---- | M] () -- C:\WINDOWS\Tasks\ParetoLogic Update Version2.job
[2011/07/21 01:11:44 | 000,000,312 | ---- | M] () -- C:\WINDOWS\Tasks\Vddxa.job

========== Purity Check ==========



< End of report >

Edited by paulgleave, 20 July 2011 - 09:47 PM.

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,007 posts
  • MVP
Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer



Copy the text in the code box by highlighting and Ctrl + c

:processes
killallprocesses

:Services
STSService
NMIndexingService
AppMgmt

:OTL
SRV - File not found [Disabled | Stopped] -- -- (STSService)
SRV - File not found [On_Demand | Stopped] -- -- (NMIndexingService)
SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [RestartNeroSetup] File not found
O4 - HKCU..\Run: [8DDYX0ZBPZ] File not found
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] File not found
O4 - HKCU..\Run: [BitTorrent] File not found
O4 - HKCU..\Run: [NtWqIVLZEWZU] File not found
O15 - HKCU\..Trusted Domains: internet ([]about in Local intranet)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.ad...Plus/1.6/gp.cab (Reg Error: Key error.)
O33 - MountPoints2\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\Shell - "" = AutoRun
O33 - MountPoints2\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
[2011/07/21 01:11:44 | 000,000,312 | ---- | M] () -- C:\WINDOWS\tasks\Vddxa.job
[2011/07/18 22:47:03 | 000,062,464 | RHS- | M] () -- C:\WINDOWS\System32\userinitm.dll
[2011/07/18 20:43:08 | 000,000,570 | ---- | M] () -- C:\WINDOWS\tasks\burn notice.job
[2011/07/20 08:37:05 | 000,000,378 | ---- | M] () -- C:\WINDOWS\tasks\DriverCure.job
[2010/04/18 22:13:25 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{737CF3DA-81A9-45D2-84EA-B73998F39342}
[2011/07/17 03:58:02 | 000,000,414 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Update Version2.job

:files
C:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx
     
:Commands
[RESETHOSTS]
[purity]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Open OTL again and select the All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.

Malwarebytes' Anti-Malware
:!: If you have a previous version of MalwareBytes', remove it via Add or Remove Programs and download a fresh copy. :!:

http://www.malwarebytes.org/mbam.php

SAVE Malwarebytes' Anti-Malware to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location.
* The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
* Post that log back here.



ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Save this file -- to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Doubleclick on ComboFix to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your anti-virus at this time :!:

Open OTL again and select the All option in the Extra Registry group then the Run Scan button. Post the two logs it produces in your next reply.


Ron
  • 0

#7
paulgleave

paulgleave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Ron I have done the spybot tea timer and then I copied and pasted in it and run that as you said.Here are the details
========== PROCESSES ==========
All processes killed
========== SERVICES/DRIVERS ==========
Service STSService stopped successfully!
Service STSService deleted successfully!
Service NMIndexingService stopped successfully!
Service NMIndexingService deleted successfully!
Service AppMgmt stopped successfully!
Service AppMgmt deleted successfully!
========== OTL ==========
Error: No service named STSService was found to stop!
Service\Driver key STSService not found.
Error: No service named NMIndexingService was found to stop!
Service\Driver key NMIndexingService not found.
Error: No service named AppMgmt was found to stop!
Service\Driver key AppMgmt not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\RestartNeroSetup deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\8DDYX0ZBPZ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\BitTorrent deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\NtWqIVLZEWZU deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\internet\ deleted successfully.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\WINDOWS\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{63ff9dda-c550-11df-bd78-001a4d7e69cb}\ not found.
File C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn not found.
C:\WINDOWS\tasks\Vddxa.job moved successfully.
C:\WINDOWS\system32\userinitm.dll moved successfully.
C:\WINDOWS\tasks\burn notice.job moved successfully.
C:\WINDOWS\tasks\DriverCure.job moved successfully.
C:\Documents and Settings\All Users\Application Data\{737CF3DA-81A9-45D2-84EA-B73998F39342} folder moved successfully.
C:\WINDOWS\tasks\ParetoLogic Update Version2.job moved successfully.
========== FILES ==========
File\Folder C:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx not found.
========== COMMANDS ==========
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.26.1 log created on 07212011_161149

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
Then I have run OTL again and followed your instructions - and I must say if a simlpe computer guy like me can follow these your doing an amazing job. here are the logs from that

OTL logfile created on: 21/07/2011 4:21:36 PM - Run 3
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Paul\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

959.48 Mb Total Physical Memory | 66.61 Mb Available Physical Memory | 6.94% Memory free
2.26 Gb Paging File | 1.31 Gb Available in Paging File | 57.76% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 118.59 Gb Total Space | 43.77 Gb Free Space | 36.91% Space Free | Partition Type: NTFS
Drive E: | 114.29 Gb Total Space | 72.48 Gb Free Space | 63.42% Space Free | Partition Type: NTFS

Computer Name: KOOROORA-61578C | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/20 23:14:38 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\My Documents\Downloads\OTL.exe
PRC - [2011/07/09 14:21:19 | 001,012,792 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/06/18 00:03:02 | 000,272,528 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe
PRC - [2011/05/26 05:37:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Paul\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/05/25 21:24:16 | 001,306,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/03/08 15:23:54 | 000,585,728 | ---- | M] () -- C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/12/01 23:56:40 | 000,574,216 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelAppStore\bin\serviceManager.exe
PRC - [2010/09/16 14:06:22 | 000,080,896 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
PRC - [2010/08/23 16:58:06 | 001,531,904 | ---- | M] (Nokia) -- C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
PRC - [2010/06/22 13:22:52 | 000,138,752 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe
PRC - [2010/06/14 14:07:14 | 000,615,936 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
PRC - [2010/05/11 10:11:58 | 000,134,144 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclMSBTSrv.exe
PRC - [2010/04/13 20:11:16 | 003,045,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKstat.exe
PRC - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2009/10/27 09:15:02 | 000,120,832 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe
PRC - [2009/01/26 15:31:16 | 002,144,088 | RHS- | M] (Safer Networking Limited) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/08/28 19:34:14 | 013,145,448 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
PRC - [2008/04/14 09:42:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/09/10 23:43:54 | 000,067,488 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
PRC - [2007/05/10 22:46:20 | 000,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2011/07/20 23:14:38 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\My Documents\Downloads\OTL.exe
MOD - [2011/04/08 16:56:28 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/24 01:42:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/18 14:02:32 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/06/18 00:03:02 | 000,237,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService)
SRV - [2011/04/01 01:47:32 | 000,745,472 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\System32\GSService.exe -- (GSService)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/02/16 09:37:38 | 000,245,760 | ---- | M] (SMServer) [Disabled | Stopped] -- C:\WINDOWS\System32\snmvtsvc.exe -- (SMServer)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/09/16 14:06:22 | 000,080,896 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
SRV - [2010/06/14 14:07:14 | 000,615,936 | ---- | M] (Nokia) [On_Demand | Running] -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)


========== Driver Services (SafeList) ==========

DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,089,368 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2011/02/17 01:22:00 | 000,023,608 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SndTAudio.sys -- (SndTAudio)
DRV - [2010/11/29 10:21:05 | 000,483,200 | ---- | M] (ITETech ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AF15BDA.SYS -- (AF15BDA)
DRV - [2010/06/22 18:01:50 | 000,021,248 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot)
DRV - [2010/04/13 20:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/09/16 09:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/08/13 18:41:07 | 000,015,600 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/07/13 16:25:22 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2007/06/22 09:54:32 | 000,087,424 | ---- | M] (Cmotech Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmusbnet.sys -- (cmusbnet) WAN Driver @ 3GPP (6280)
DRV - [2006/12/13 18:31:56 | 000,087,040 | ---- | M] (Cmotech Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmusbser.sys -- (cmusbser)
DRV - [2006/11/27 16:33:54 | 000,019,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/11/27 16:33:50 | 000,058,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/10/18 16:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/06/18 23:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/09/23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/07/09 04:26:38 | 000,015,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.telstra.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT: C:\Program Files\McAfee\Supportability\MVT\NPMVTPlugin.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\Paul\Application Data\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/25 20:10:53 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/07/21 16:11:56 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110625171636.dll (McAfee, Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [HTC Sync Loader] C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe ()
O4 - HKLM..\Run: [Intel AppUp(SM) center] C:\Program Files\Intel\IntelAppStore\bin\serviceManager.lnk ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk = C:\Program Files\McAfee Online Backup\MOBKstat.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\Paul\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Paul\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra Button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()
O9 - Extra 'Tools' menuitem : Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Local intranet)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Local intranet)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.138
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/13 18:22:03 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/21 16:13:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/07/21 16:11:49 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/07/20 22:50:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Windows Search
[2011/07/20 22:29:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Windows Desktop Search
[2011/07/20 22:19:23 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2011/07/20 22:19:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/07/20 22:18:18 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2011/07/20 21:33:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/07/20 21:33:38 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/07/20 21:33:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/07/20 21:33:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/07/20 18:38:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/07/20 18:37:58 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/07/20 18:37:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/07/20 18:32:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2011/07/20 18:08:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2011/07/20 18:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
[2011/07/20 18:08:18 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2011/07/20 16:53:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2011/07/20 16:46:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Citrix
[2011/07/20 16:41:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\McAfee
[2011/07/19 11:49:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Start Menu\Programs\HiJackThis
[2011/07/19 11:49:25 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/07/18 22:51:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/07/18 20:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Nero_AG
[2011/07/18 20:06:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\BitTorrent
[2011/07/18 19:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\My Documents\AVS4YOU
[2011/07/18 17:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Library
[2011/07/18 17:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\com.adobe.ExMan
[2011/07/18 16:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\PCHealth
[2011/07/18 15:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft Help
[2011/07/18 15:40:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2011/07/18 12:46:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Nero
[2011/07/18 12:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Nero
[2011/07/18 12:27:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2011/07/14 18:47:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2011/07/14 17:20:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA
[2011/07/07 20:59:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\com.miniclip.vikingdefense
[2011/07/07 20:58:51 | 000,000,000 | ---D | C] -- C:\Program Files\vikingdefense
[2011/07/02 14:23:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Lazy 8 Studios
[2011/07/02 14:22:36 | 000,000,000 | ---D | C] -- C:\Program Files\Lazy 8 Studios
[2011/07/01 19:22:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Dropbox
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/21 16:29:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/21 16:16:12 | 000,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/07/21 16:15:32 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/21 16:15:32 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-725345543-1450960922-2146968213-1004.job
[2011/07/21 16:12:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/21 16:11:56 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/07/21 15:34:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1450960922-2146968213-1004UA.job
[2011/07/21 14:38:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-1450960922-2146968213-1004.job
[2011/07/21 08:34:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1450960922-2146968213-1004Core.job
[2011/07/21 01:06:22 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/20 22:19:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/20 22:19:41 | 000,001,787 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2011/07/20 22:19:33 | 000,505,546 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/20 22:19:33 | 000,087,530 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/20 20:49:45 | 000,001,676 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\e-Sword.lnk
[2011/07/20 20:36:21 | 000,000,147 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/07/20 19:26:39 | 000,000,844 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Photoshop Elements 6.0.lnk
[2011/07/20 19:25:33 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\DVD Shrink 3.2.lnk
[2011/07/20 19:25:16 | 000,000,991 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Dropbox.lnk
[2011/07/20 19:17:15 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\HiJackThis.lnk
[2011/07/20 18:38:13 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/20 18:08:44 | 000,001,801 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/07/20 18:00:01 | 000,000,440 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2011/07/20 17:01:06 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/07/20 10:45:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/20 00:49:23 | 000,026,678 | ---- | M] () -- C:\WINDOWS\MOBK.blk
[2011/07/20 00:49:22 | 000,000,330 | ---- | M] () -- C:\WINDOWS\MOBK.flt
[2011/07/19 17:54:46 | 000,290,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/18 20:17:07 | 000,018,432 | ---- | M] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/18 16:09:36 | 000,002,343 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Angry Birds.lnk
[2011/07/18 13:20:15 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/07/18 13:15:36 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/07/18 13:15:36 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/07/15 13:28:40 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Cogs GO Lite.lnk
[2011/07/15 10:46:20 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Fruit Ninja Lite.lnk
[2011/07/15 09:36:11 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/07/07 20:58:54 | 000,000,680 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\vikingdefense.lnk
[2011/07/07 18:02:35 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2011/06/30 19:45:00 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/21 00:35:26 | 000,323,638 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1450960922-2146968213-1004-0.dat
[2011/07/20 22:19:41 | 000,001,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2011/07/20 22:19:41 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2011/07/20 20:49:45 | 000,001,676 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\e-Sword.lnk
[2011/07/20 19:30:18 | 000,323,638 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/07/20 19:26:39 | 000,000,844 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Photoshop Elements 6.0.lnk
[2011/07/20 19:25:33 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\DVD Shrink 3.2.lnk
[2011/07/20 19:25:16 | 000,000,991 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Dropbox.lnk
[2011/07/20 19:17:15 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\HiJackThis.lnk
[2011/07/20 19:10:27 | 000,000,147 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/07/20 18:38:13 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/20 18:08:29 | 000,001,801 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/07/20 16:41:29 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Virtual Technician.lnk
[2011/07/19 12:36:22 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2011/07/18 15:48:33 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/07/18 14:09:09 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Bridge CS4.lnk
[2011/07/18 14:04:30 | 000,001,002 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Extension Manager CS4.lnk
[2011/07/18 14:03:12 | 000,001,104 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe ExtendScript Toolkit CS4.lnk
[2011/07/18 13:15:45 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\Paul\Start Menu\Programs\Windows Media Player.lnk
[2011/07/07 20:58:54 | 000,000,686 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\vikingdefense.lnk
[2011/07/07 20:58:53 | 000,000,680 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\vikingdefense.lnk
[2011/07/02 14:22:55 | 000,002,473 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Cogs GO Lite.lnk
[2011/07/02 14:22:55 | 000,002,018 | ---- | C] () -- C:\Documents and Settings\Paul\Start Menu\Programs\Cogs GO Lite.lnk
[2011/06/30 19:10:22 | 000,000,991 | ---- | C] () -- C:\Documents and Settings\Paul\Start Menu\Programs\Startup\Dropbox.lnk
[2011/06/30 19:10:22 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk
[2011/06/24 17:10:37 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/17 20:48:54 | 000,060,424 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/04/28 20:04:58 | 000,745,472 | ---- | C] () -- C:\WINDOWS\System32\GSService.exe
[2010/10/10 14:41:24 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\systeminfo.dll
[2010/10/10 14:41:13 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/10/10 14:40:12 | 000,000,140 | ---- | C] () -- C:\WINDOWS\System32\AF15IRTBL.bin
[2010/07/08 11:51:42 | 001,161,696 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/02/08 08:33:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/11 21:05:09 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/11/22 18:21:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Biblica.ini
[2009/09/29 16:20:00 | 000,018,432 | ---- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/31 13:00:22 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\WBCustomizer.dll
[2009/08/31 13:00:21 | 000,185,344 | ---- | C] () -- C:\WINDOWS\System32\MemWarp.dll
[2009/08/30 17:12:35 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/26 21:44:55 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/08/14 03:23:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/14 03:21:29 | 000,290,888 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/13 18:54:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/13 18:32:57 | 000,001,732 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2009/08/13 18:25:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/08/13 18:18:03 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/01/15 03:31:00 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/10/31 16:05:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/31 16:05:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/10/31 16:05:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/31 16:05:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/10/31 16:05:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/31 16:05:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/31 16:05:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/31 16:05:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/10/31 16:05:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/10/31 16:05:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/31 16:05:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/02/28 21:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 21:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 21:30:00 | 000,505,546 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 21:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 21:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 21:30:00 | 000,087,530 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 21:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 21:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 21:30:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 21:30:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 21:30:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 21:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >

Thanks again I will now continue with the malware and other downloads as you have directed. mate I'm so grateful, thanks heaps
Regards
Paul
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,007 posts
  • MVP
OK. On my way to bed now. It's after midnight here.

Ron
  • 0

#9
paulgleave

paulgleave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Ron here is the malwarebytes log. I have just made the big mistake with combofix of leaving my antivirus on when it started to scan I downloaded and expected to install then run. My mistake, so I have not run it again. you were clear about that I'm sorry. But I did see don't run it again. What should I do?

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7219

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

21/07/2011 7:12:32 PM
mbam-log-2011-07-21 (19-12-32).txt

Scan type: Quick scan
Objects scanned: 164588
Time elapsed: 10 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\8DDYX0ZBPZ (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XMZH42I4GI (Trojan.FakeAlert.SA) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by paulgleave, 21 July 2011 - 04:09 AM.

  • 0

#10
paulgleave

paulgleave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Ron OTL log below. Thanks again I am grateful for your time and effort. just checked and the search engine is working fine and computer is 100% faster. Not sure if that's fixed or not let you tell me what you think. :)

OTL logfile created on: 21/07/2011 7:41:17 PM - Run 4
OTL by OldTimer - Version 3.2.26.1 Folder = C:\Documents and Settings\Paul\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

959.48 Mb Total Physical Memory | 468.60 Mb Available Physical Memory | 48.84% Memory free
2.26 Gb Paging File | 1.33 Gb Available in Paging File | 59.01% Paging File free
Paging file location(s): C:\pagefile.sys 1440 2880 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 118.59 Gb Total Space | 43.62 Gb Free Space | 36.79% Space Free | Partition Type: NTFS
Drive E: | 114.29 Gb Total Space | 72.48 Gb Free Space | 63.42% Space Free | Partition Type: NTFS

Computer Name: KOOROORA-61578C | User Name: Paul | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/07/20 23:14:38 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\My Documents\Downloads\OTL.exe
PRC - [2011/07/09 14:21:19 | 001,012,792 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
PRC - [2011/06/18 00:03:02 | 000,272,528 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe
PRC - [2011/06/15 16:26:14 | 000,784,000 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcupdate.exe
PRC - [2011/05/26 05:37:14 | 024,176,560 | ---- | M] (Dropbox, Inc.) -- C:\Documents and Settings\Paul\Application Data\Dropbox\bin\Dropbox.exe
PRC - [2011/05/25 21:24:16 | 001,306,216 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/05/02 14:38:38 | 001,191,368 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/03/08 15:23:54 | 000,585,728 | ---- | M] () -- C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
PRC - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/12/01 23:56:40 | 000,574,216 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\IntelAppStore\bin\serviceManager.exe
PRC - [2010/09/16 14:06:22 | 000,080,896 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
PRC - [2010/08/23 16:58:06 | 001,531,904 | ---- | M] (Nokia) -- C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
PRC - [2010/06/22 13:22:52 | 000,138,752 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclUSBSrv.exe
PRC - [2010/06/14 14:07:14 | 000,615,936 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe
PRC - [2010/05/11 10:11:58 | 000,134,144 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclMSBTSrv.exe
PRC - [2010/04/13 20:11:16 | 003,045,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKstat.exe
PRC - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2009/10/27 09:15:02 | 000,120,832 | ---- | M] (Nokia) -- C:\Program Files\Nokia\PC Connectivity Solution\Transports\NclRSSrv.exe
PRC - [2008/08/28 19:34:14 | 013,145,448 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe
PRC - [2008/04/14 09:42:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
PRC - [2007/05/10 22:46:20 | 000,624,248 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe


========== Modules (SafeList) ==========

MOD - [2011/07/20 23:14:38 | 000,579,584 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Paul\My Documents\Downloads\OTL.exe
MOD - [2011/04/08 16:56:28 | 000,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/24 01:42:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/07/18 14:02:32 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2011/06/18 00:03:02 | 000,237,008 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\3.0.207\McCHSvc.exe -- (McComponentHostService)
SRV - [2011/04/01 01:47:32 | 000,745,472 | ---- | M] () [Disabled | Stopped] -- C:\WINDOWS\System32\GSService.exe -- (GSService)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/03/13 11:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2011/03/13 11:41:50 | 000,159,832 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/03/13 11:41:36 | 000,165,000 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/02/16 09:37:38 | 000,245,760 | ---- | M] (SMServer) [Disabled | Stopped] -- C:\WINDOWS\System32\snmvtsvc.exe -- (SMServer)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/09/16 14:06:22 | 000,080,896 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
SRV - [2010/06/14 14:07:14 | 000,615,936 | ---- | M] (Nokia) [On_Demand | Running] -- C:\Program Files\Nokia\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2010/04/13 20:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2007/09/10 23:45:04 | 000,124,832 | ---- | M] () [Auto | Running] -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)


========== Driver Services (SafeList) ==========

DRV - [2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy)
DRV - [2011/03/13 11:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 11:20:10 | 000,337,912 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/03/13 11:20:10 | 000,179,248 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/03/13 11:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/03/13 11:20:10 | 000,089,368 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/03/13 11:20:10 | 000,085,984 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2011/03/13 11:20:10 | 000,083,688 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2011/03/13 11:20:10 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 11:20:10 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2011/02/17 01:22:00 | 000,023,608 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SndTAudio.sys -- (SndTAudio)
DRV - [2010/11/29 10:21:05 | 000,483,200 | ---- | M] (ITETech ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AF15BDA.SYS -- (AF15BDA)
DRV - [2010/06/22 18:01:50 | 000,021,248 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\htcnprot.sys -- (htcnprot)
DRV - [2010/04/13 20:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/09/16 09:22:48 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:14 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/08/13 18:41:07 | 000,015,600 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2008/08/26 09:26:12 | 000,018,816 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/07/13 16:25:22 | 000,027,072 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PCASp50.sys -- (PCASp50)
DRV - [2007/06/22 09:54:32 | 000,087,424 | ---- | M] (Cmotech Co., Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmusbnet.sys -- (cmusbnet) WAN Driver @ 3GPP (6280)
DRV - [2006/12/13 18:31:56 | 000,087,040 | ---- | M] (Cmotech Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\cmusbser.sys -- (cmusbser)
DRV - [2006/11/27 16:33:54 | 000,019,968 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2006/11/27 16:33:50 | 000,058,368 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2006/10/18 16:31:38 | 000,105,472 | ---- | M] (NVIDIA Corporation) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\nvata.sys -- (nvata)
DRV - [2006/06/18 23:37:34 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/09/23 18:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2004/07/09 04:26:38 | 000,015,104 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mpe.sys -- (MPE)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.telstra.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT: C:\Program Files\McAfee\Supportability\MVT\NPMVTPlugin.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@facebook.com/FBPlugin,version=1.0.3: C:\Documents and Settings\Paul\Application Data\Facebook\npfbplugin_1_0_3.dll ( )
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Paul\Local Settings\Application Data\Google\Update\1.3.21.57\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2011/05/25 20:10:53 | 000,000,000 | ---D | M]


O1 HOSTS File: ([2011/07/21 16:11:56 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (ContributeBHO Class) - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - File not found
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20110625171636.dll (McAfee, Inc.)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll ()
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Photo Downloader] C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\ALCMTR.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [HTC Sync Loader] C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe ()
O4 - HKLM..\Run: [Intel AppUp(SM) center] C:\Program Files\Intel\IntelAppStore\bin\serviceManager.lnk ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NokiaMServer] C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe (Nokia)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\nvmctray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKCU..\Run: [AdobeBridge] C:\Program Files\Adobe\Adobe Bridge CS4\Bridge.exe (Adobe Systems, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk = C:\Program Files\McAfee Online Backup\MOBKstat.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\3.0.207\SSScheduler.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\Paul\Start Menu\Programs\Startup\Dropbox.lnk = C:\Documents and Settings\Paul\Application Data\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O9 - Extra Button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()
O9 - Extra 'Tools' menuitem : Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\SoundTaxi\YouTubeRipper.dll ()
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.0.0.138
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/08/13 18:22:03 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/07/21 19:28:34 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/07/21 19:28:30 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/07/21 19:28:30 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/07/21 19:28:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/07/21 19:28:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2011/07/21 19:28:09 | 000,000,000 | --SD | C] -- C:\ComboFix
[2011/07/21 19:27:47 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/07/21 19:17:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/07/21 16:39:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Malwarebytes
[2011/07/21 16:39:44 | 000,041,272 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/21 16:39:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/07/21 16:39:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2011/07/21 16:39:35 | 000,022,712 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/07/21 16:39:31 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/07/21 16:11:49 | 000,000,000 | ---D | C] -- C:\_OTL
[2011/07/20 22:50:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Windows Search
[2011/07/20 22:29:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Windows Desktop Search
[2011/07/20 22:19:23 | 000,000,000 | ---D | C] -- C:\Program Files\Windows Desktop Search
[2011/07/20 22:19:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\GroupPolicy
[2011/07/20 22:18:18 | 000,016,928 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spmsg.dll
[2011/07/20 21:33:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2011/07/20 21:33:38 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2011/07/20 21:33:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2011/07/20 21:33:38 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2011/07/20 18:38:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2011/07/20 18:37:58 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2011/07/20 18:37:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2011/07/20 18:32:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2011/07/20 18:08:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee Security Scan
[2011/07/20 18:08:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
[2011/07/20 18:08:18 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee Security Scan
[2011/07/20 16:53:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2011/07/20 16:46:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Citrix
[2011/07/20 16:41:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\McAfee
[2011/07/19 11:49:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Start Menu\Programs\HiJackThis
[2011/07/19 11:49:25 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/07/18 22:51:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
[2011/07/18 20:43:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Nero_AG
[2011/07/18 20:06:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\BitTorrent
[2011/07/18 19:42:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\My Documents\AVS4YOU
[2011/07/18 17:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Library
[2011/07/18 17:18:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\com.adobe.ExMan
[2011/07/18 16:25:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\PCHealth
[2011/07/18 15:41:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Microsoft Help
[2011/07/18 15:40:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2011/07/18 12:46:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Local Settings\Application Data\Nero
[2011/07/18 12:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Nero
[2011/07/18 12:27:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Nero
[2011/07/14 18:47:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\nView_Profiles
[2011/07/14 17:20:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NVIDIA
[2011/07/07 20:59:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\com.miniclip.vikingdefense
[2011/07/07 20:58:51 | 000,000,000 | ---D | C] -- C:\Program Files\vikingdefense
[2011/07/02 14:23:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Paul\Application Data\Lazy 8 Studios
[2011/07/02 14:22:36 | 000,000,000 | ---D | C] -- C:\Program Files\Lazy 8 Studios
[2011/07/01 19:22:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Dropbox
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/07/21 19:34:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1450960922-2146968213-1004UA.job
[2011/07/21 19:29:00 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/07/21 19:20:27 | 000,000,878 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/07/21 19:20:27 | 000,000,276 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-725345543-1450960922-2146968213-1004.job
[2011/07/21 19:17:41 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/07/21 18:00:00 | 000,000,440 | ---- | M] () -- C:\WINDOWS\tasks\ParetoLogic Registration.job
[2011/07/21 16:39:44 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/07/21 16:39:44 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/21 16:16:12 | 000,081,496 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2011/07/21 16:11:56 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2011/07/21 14:38:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-1450960922-2146968213-1004.job
[2011/07/21 08:34:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1450960922-2146968213-1004Core.job
[2011/07/21 01:06:22 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/07/20 22:19:42 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/07/20 22:19:41 | 000,001,787 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2011/07/20 22:19:33 | 000,505,546 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/07/20 22:19:33 | 000,087,530 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/07/20 20:49:45 | 000,001,676 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\e-Sword.lnk
[2011/07/20 20:36:21 | 000,000,147 | ---- | M] () -- C:\WINDOWS\wininit.ini
[2011/07/20 19:26:39 | 000,000,844 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Photoshop Elements 6.0.lnk
[2011/07/20 19:25:33 | 000,000,670 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\DVD Shrink 3.2.lnk
[2011/07/20 19:25:16 | 000,000,991 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Dropbox.lnk
[2011/07/20 19:17:15 | 000,002,445 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\HiJackThis.lnk
[2011/07/20 18:38:13 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/20 18:08:44 | 000,001,801 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/07/20 17:01:06 | 000,000,792 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/07/20 10:45:19 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/07/20 00:49:23 | 000,026,678 | ---- | M] () -- C:\WINDOWS\MOBK.blk
[2011/07/20 00:49:22 | 000,000,330 | ---- | M] () -- C:\WINDOWS\MOBK.flt
[2011/07/19 17:54:46 | 000,290,888 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/07/18 20:17:07 | 000,018,432 | ---- | M] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/07/18 16:09:36 | 000,002,343 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Angry Birds.lnk
[2011/07/18 13:20:15 | 000,000,800 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
[2011/07/18 13:15:36 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
[2011/07/18 13:15:36 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
[2011/07/15 13:28:40 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\Paul\Desktop\Cogs GO Lite.lnk
[2011/07/15 10:46:20 | 000,002,449 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Fruit Ninja Lite.lnk
[2011/07/15 09:36:11 | 000,002,255 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2011/07/07 20:58:54 | 000,000,680 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\vikingdefense.lnk
[2011/07/07 18:02:35 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2011/07/06 19:52:42 | 000,041,272 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2011/07/06 19:52:42 | 000,022,712 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2011/06/30 19:45:00 | 000,000,223 | RHS- | M] () -- C:\boot.ini
[2011/06/26 16:15:56 | 000,256,000 | ---- | M] () -- C:\WINDOWS\PEV.exe
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\System32\dllcache\*.tmp files -> C:\WINDOWS\System32\dllcache\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/07/21 19:28:34 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/07/21 19:28:31 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/07/21 19:28:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/07/21 19:28:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/07/21 19:28:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/07/21 16:39:44 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes' Anti-Malware.lnk
[2011/07/21 16:39:44 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/07/21 00:35:26 | 000,323,638 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-725345543-1450960922-2146968213-1004-0.dat
[2011/07/20 22:19:41 | 000,001,803 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Search.lnk
[2011/07/20 22:19:41 | 000,001,787 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
[2011/07/20 20:49:45 | 000,001,676 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\e-Sword.lnk
[2011/07/20 19:30:18 | 000,323,638 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
[2011/07/20 19:26:39 | 000,000,844 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Adobe Photoshop Elements 6.0.lnk
[2011/07/20 19:25:33 | 000,000,670 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\DVD Shrink 3.2.lnk
[2011/07/20 19:25:16 | 000,000,991 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Dropbox.lnk
[2011/07/20 19:17:15 | 000,002,445 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\HiJackThis.lnk
[2011/07/20 19:10:27 | 000,000,147 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2011/07/20 18:38:13 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2011/07/20 18:08:29 | 000,001,801 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
[2011/07/20 16:41:29 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Virtual Technician.lnk
[2011/07/19 12:36:22 | 000,002,265 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Skype.lnk
[2011/07/18 15:48:33 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Paul\Application Data\Microsoft\Internet Explorer\Quick Launch\Microsoft Office Outlook.lnk
[2011/07/18 14:09:09 | 000,000,818 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Bridge CS4.lnk
[2011/07/18 14:04:30 | 000,001,002 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Extension Manager CS4.lnk
[2011/07/18 14:03:12 | 000,001,104 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe ExtendScript Toolkit CS4.lnk
[2011/07/18 13:15:45 | 000,000,788 | ---- | C] () -- C:\Documents and Settings\Paul\Start Menu\Programs\Windows Media Player.lnk
[2011/07/07 20:58:54 | 000,000,686 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\vikingdefense.lnk
[2011/07/07 20:58:53 | 000,000,680 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\vikingdefense.lnk
[2011/07/02 14:22:55 | 000,002,473 | ---- | C] () -- C:\Documents and Settings\Paul\Desktop\Cogs GO Lite.lnk
[2011/07/02 14:22:55 | 000,002,018 | ---- | C] () -- C:\Documents and Settings\Paul\Start Menu\Programs\Cogs GO Lite.lnk
[2011/06/30 19:10:22 | 000,000,991 | ---- | C] () -- C:\Documents and Settings\Paul\Start Menu\Programs\Startup\Dropbox.lnk
[2011/06/30 19:10:22 | 000,000,780 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Online Backup Status.lnk
[2011/06/24 17:10:37 | 000,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Adobe Reader X.lnk
[2011/06/17 20:48:54 | 000,060,424 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/04/28 20:04:58 | 000,745,472 | ---- | C] () -- C:\WINDOWS\System32\GSService.exe
[2010/10/10 14:41:24 | 000,000,014 | ---- | C] () -- C:\WINDOWS\System32\systeminfo.dll
[2010/10/10 14:41:13 | 000,363,520 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2010/10/10 14:40:12 | 000,000,140 | ---- | C] () -- C:\WINDOWS\System32\AF15IRTBL.bin
[2010/07/08 11:51:42 | 001,161,696 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
[2010/02/08 08:33:26 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2009/12/11 21:05:09 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2009/11/22 18:21:57 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Biblica.ini
[2009/09/29 16:20:00 | 000,018,432 | ---- | C] () -- C:\Documents and Settings\Paul\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/08/31 13:00:22 | 000,021,504 | ---- | C] () -- C:\WINDOWS\System32\WBCustomizer.dll
[2009/08/31 13:00:21 | 000,185,344 | ---- | C] () -- C:\WINDOWS\System32\MemWarp.dll
[2009/08/30 17:12:35 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/08/26 21:44:55 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/08/14 03:23:00 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2009/08/14 03:21:29 | 000,290,888 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/08/13 18:54:25 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/08/13 18:32:57 | 000,001,732 | ---- | C] () -- C:\WINDOWS\System32\drivers\nvphy.bin
[2009/08/13 18:25:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2009/08/13 18:18:03 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2008/05/26 21:59:42 | 000,018,904 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschematrivial.bin
[2008/05/26 21:59:40 | 000,106,605 | ---- | C] () -- C:\WINDOWS\System32\structuredqueryschema.bin
[2008/01/15 03:31:00 | 000,000,530 | ---- | C] () -- C:\WINDOWS\System32\tx14_ic.ini
[2007/09/27 10:51:02 | 000,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 000,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 000,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2006/10/31 16:05:00 | 001,662,976 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/31 16:05:00 | 001,622,016 | ---- | C] () -- C:\WINDOWS\System32\nwiz.exe
[2006/10/31 16:05:00 | 001,470,464 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/31 16:05:00 | 001,339,392 | ---- | C] () -- C:\WINDOWS\System32\nvdspsch.exe
[2006/10/31 16:05:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/31 16:05:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/31 16:05:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/31 16:05:00 | 000,442,368 | ---- | C] () -- C:\WINDOWS\System32\nvappbar.exe
[2006/10/31 16:05:00 | 000,425,984 | ---- | C] () -- C:\WINDOWS\System32\keystone.exe
[2006/10/31 16:05:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/10/31 16:05:00 | 000,196,608 | ---- | C] () -- C:\WINDOWS\System32\nvapi.dll
[2006/02/28 21:30:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2006/02/28 21:30:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2006/02/28 21:30:00 | 000,505,546 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2006/02/28 21:30:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2006/02/28 21:30:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2006/02/28 21:30:00 | 000,087,530 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2006/02/28 21:30:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2006/02/28 21:30:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2006/02/28 21:30:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2006/02/28 21:30:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2006/02/28 21:30:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2006/02/28 21:30:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

< End of report >

Edited by paulgleave, 21 July 2011 - 04:26 AM.

  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,007 posts
  • MVP
McAfee eats parts of Combofix so let's pause it then uninstall the old copy:

copy the next line:

"%userprofile%\Desktop\combofix.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

Then download Combofix again from:
either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Rename Combofix.exe to george.exe

Now run george.exe by doubleclicking.


* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


IF you can't get it to run or it takes more than an hour then try it in Safe Mode. (Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly. Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking. Login with your usual login.)

If it still won't run then run DDS instead:
Please download DDS from http://download.blee...om/sUBs/dds.com or http://download.blee...om/sUBs/dds.scr
and save it to your desktop.

* Disable any script blocking protection
* Double click dds.pif to run the tool.
* When done, two DDS.txt's will open.
* Save both reports to your desktop.

---------------------------------------------------
Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.


Also GMER:
Download GMER from http://www.gmer.net/download.php Note the file's name and save it to your root folder, such as C:\.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
  • Click on http://www.bleepingcomputer.com/forums/topic114351.html to see a list of programs that should be disabled.
  • Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
  • Allow the driver to load if asked.
  • You may be prompted to scan immediately if it detects rootkit activity.
  • If you are prompted to scan your system click "No", save the log and post back the results.
  • If not prompted, click the "Rootkit/Malware" tab.
  • On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
  • Select all drives that are connected to your system to be scanned.
  • Click the Scan button to begin. (Please be patient as it can take some time to complete)
  • When the scan is finished, click Save to save the scan results to your Desktop.
  • Save the file as Results.log and copy/paste the contents in your next reply.
  • Exit the program and re-enable all active protection when done.

and RootRepeal

We Need to check for Rootkits with RootRepeal
[list=1][*]Download RootRepeal from the following location and save it to your desktop.
[list]
[*]Zip Mirrors (Recommended)
[list]

http://ad13.geekstog.../RootRepeal.zip
http://rootrepeal.ps.../RootRepeal.zip

Let's do a quick check for other problems:

1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
2. Click Properties, and then click Tools.
3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
4. Check both boxes and then click Start.
You will receive the following message:
The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
Click Yes to schedule the disk check, but don't restart yet.

Start, Run, eventvwr.msc, OK to bring up the Event Viewer. Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.

Start, Run, sfc /scannow, OK

SPACE after sfc. This will check your critical system files. If it asks for a CD and you don't have one or it doesn't like your CD just tell it to SKIP.

Start, Run, sigverif, OK

Press Start. This will check your drivers. If you just get a few when it finishes tell me what they are. If you get a lot just look for those with newish dates (since about the time the problem started.)


1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#12
paulgleave

paulgleave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Ron all worked ok with your support for the combofix only it didnt ask to save chnages at the end once I went to file and exit? here is the log I will continue to do the rest you have asked thanks again
Paul

ComboFix 11-07-21.04 - Paul 22/07/2011 16:10:32.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.497 [GMT 9.5:30]
Running from: c:\documents and settings\Paul\My Documents\Downloads\george.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-22 to 2011-07-22 )))))))))))))))))))))))))))))))
.
.
2011-07-21 07:09 . 2011-07-21 07:09 -------- d-----w- c:\documents and settings\Paul\Application Data\Malwarebytes
2011-07-21 07:09 . 2011-07-06 10:22 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-21 07:09 . 2011-07-21 07:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-21 07:09 . 2011-07-06 10:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-21 07:09 . 2011-07-21 09:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-21 06:41 . 2011-07-21 06:41 -------- d-----w- C:\_OTL
2011-07-20 13:20 . 2011-07-20 13:20 -------- d-----w- c:\documents and settings\Paul\Application Data\Windows Search
2011-07-20 12:59 . 2011-07-20 12:59 -------- d-----w- c:\documents and settings\Paul\Application Data\Windows Desktop Search
2011-07-20 12:50 . 2011-07-20 12:50 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-07-20 12:49 . 2011-07-20 15:41 -------- d-----w- c:\program files\Windows Desktop Search
2011-07-20 12:49 . 2011-07-20 12:49 -------- d-----w- c:\windows\system32\GroupPolicy
2011-07-20 12:03 . 2011-07-20 12:03 -------- d-----w- c:\program files\Common Files\Java
2011-07-20 09:07 . 2011-07-20 09:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-07-20 09:07 . 2011-07-20 09:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-07-20 09:02 . 2011-07-20 09:03 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2011-07-20 08:38 . 2011-07-20 08:38 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2011-07-20 08:38 . 2011-07-20 08:38 -------- d-----w- c:\program files\McAfee Security Scan
2011-07-20 07:23 . 2011-07-20 07:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2011-07-20 07:16 . 2011-07-20 07:16 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Citrix
2011-07-20 07:11 . 2011-07-20 07:11 -------- d-----w- c:\documents and settings\Paul\Application Data\McAfee
2011-07-19 02:19 . 2011-07-19 02:19 388096 ----a-r- c:\documents and settings\Paul\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-07-19 02:19 . 2011-07-19 02:19 -------- d-----w- c:\program files\Trend Micro
2011-07-18 13:21 . 2011-07-18 13:21 -------- d-----w- c:\documents and settings\Paul\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2011-07-18 10:36 . 2011-07-18 10:42 -------- d-----w- c:\documents and settings\Paul\Application Data\BitTorrent
2011-07-18 07:48 . 2011-07-18 07:48 -------- d-----w- c:\documents and settings\Paul\Library
2011-07-18 07:48 . 2011-07-18 07:48 -------- d-----w- c:\documents and settings\Paul\Application Data\com.adobe.ExMan
2011-07-18 06:55 . 2011-07-18 06:55 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\PCHealth
2011-07-18 06:11 . 2011-07-18 06:11 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Microsoft Help
2011-07-18 06:10 . 2011-07-19 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2011-07-18 03:16 . 2011-07-20 09:57 -------- d-----w- c:\documents and settings\Paul\Local Settings\Application Data\Nero
2011-07-18 03:16 . 2011-07-18 14:00 -------- d-----w- c:\documents and settings\Paul\Application Data\Nero
2011-07-18 02:57 . 2011-07-18 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2011-07-14 09:17 . 2011-07-14 09:17 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2011-07-14 07:50 . 2011-07-14 07:50 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2011-07-07 11:29 . 2011-07-07 11:29 -------- d-----w- c:\documents and settings\Paul\Application Data\com.miniclip.vikingdefense
2011-07-07 11:28 . 2011-07-07 11:28 -------- d-----w- c:\program files\vikingdefense
2011-07-02 04:53 . 2011-07-02 04:53 -------- d-----w- c:\documents and settings\Paul\Application Data\Lazy 8 Studios
2011-07-02 04:52 . 2011-07-02 04:52 -------- d-----w- c:\program files\Lazy 8 Studios
2011-07-01 09:52 . 2011-07-01 09:52 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Dropbox
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2006-02-28 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-05-03 19:22 . 2010-06-03 08:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-03 16:55 . 2009-10-23 23:27 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-05-02 15:31 . 2009-08-13 08:48 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2006-02-28 12:00 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2006-02-28 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-26 11:07 . 2006-02-28 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-04-26 11:07 . 2006-02-28 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-04-25 16:11 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2006-02-28 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2006-02-28 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2006-02-28 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Paul\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Paul\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Paul\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\documents and settings\Paul\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-13 10:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-13 10:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-13 10:41 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-08 26100520]
"AdobeBridge"="c:\program files\Adobe\Adobe Bridge CS4\Bridge.exe" [2008-08-28 13145448]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"NvMediaCenter"="NvMCTray.dll" [2006-10-31 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-05-25 1306216]
"Intel AppUp(SM) center"="c:\program files\Intel\IntelAppStore\bin\serviceManager.lnk" [2011-04-22 933]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-03-08 585728]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-10 67488]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-13 611712]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 624248]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-22 14854144]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Paul\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Paul\Application Data\Dropbox\bin\Dropbox.exe [2011-5-26 24176560]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Online Backup Status.lnk - c:\program files\McAfee Online Backup\MOBKstat.exe [2010-4-13 3045176]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\3.0.207\SSScheduler.exe [2011-6-18 272528]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Documents and Settings\\Paul\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [16/03/2010 5:58 AM 89368]
R1 MOBKFilter;MOBKFilter;c:\windows\system32\drivers\MOBK.sys [19/08/2010 1:41 PM 54776]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [19/08/2010 1:39 PM 214904]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [19/08/2010 1:39 PM 214904]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [19/08/2010 1:39 PM 214904]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [19/08/2010 1:39 PM 159832]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [19/08/2010 1:39 PM 148520]
R2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [13/04/2010 8:11 PM 229688]
R2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [16/09/2010 2:06 PM 80896]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [16/03/2010 5:58 AM 57432]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [16/03/2010 5:58 AM 337912]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [16/03/2010 5:58 AM 83688]
R3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [28/04/2011 8:04 PM 23608]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [14/06/2010 1:04 PM 136176]
S3 cmusbnet;WAN Driver @ 3GPP (6280);c:\windows\system32\drivers\cmusbnet.sys [6/06/2007 11:36 AM 87424]
S3 cmusbser;%CMUSBSER%;c:\windows\system32\drivers\cmusbser.sys [13/12/2006 6:31 PM 87040]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [14/06/2010 1:04 PM 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [16/05/2011 5:44 PM 24576]
S3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\drivers\htcnprot.sys [22/06/2010 6:01 PM 21248]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [21/07/2011 4:39 PM 41272]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.0.207\McCHSvc.exe [18/06/2011 12:03 AM 237008]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [16/03/2010 5:58 AM 83688]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [16/03/2010 5:58 AM 85984]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
S4 GSService;GSService;c:\windows\system32\GSService.exe [28/04/2011 8:04 PM 745472]
S4 SMServer;SMServer;c:\windows\system32\snmvtsvc.exe [28/04/2011 8:04 PM 245760]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-14 03:34]
.
2011-07-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-14 03:34]
.
2011-07-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1450960922-2146968213-1004Core.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 08:54]
.
2011-07-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-725345543-1450960922-2146968213-1004UA.job
- c:\documents and settings\Paul\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-01 08:54]
.
2011-07-21 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 10.0.0.138
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-BE4 Deluxe - c:\documents and settings\All Users\Application Data\{737CF3DA-81A9-45D2-84EA-B73998F39342}\Setup.exe
AddRemove-{E438C007-528B-4C5B-BDE0-CDA428460B50} - c:\documents and settings\All Users\Application Data\{737CF3DA-81A9-45D2-84EA-B73998F39342}\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-22 16:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2100)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\documents and settings\Paul\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\program files\McAfee Online Backup\MOBKshell.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-22 16:21:35
ComboFix-quarantined-files.txt 2011-07-22 06:51
.
Pre-Run: 46,696,873,984 bytes free
Post-Run: 47,100,518,400 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - AD9654E24ADA54C327A226B3580A73D5
  • 0

#13
paulgleave

paulgleave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Ron I ran GMAR and my computer restarted half way through and is running slower than ever now. Very slow. microsoft opened a window and displayed this message
What do you want me to do.
Regards
Paul
Address a problem with a memory leak in a kernel mode driver
a memory leak in a kernel mode driver has stopped working properly.
Click the following link to read a Knowledge Base article that might help you identify and solve the problem:
How to Use Memory Pool Monitor (Poolmon.exe) to Troubleshoot Kernel Mode Memory Leaks
  • 0

#14
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,007 posts
  • MVP
Can you run george again? Remember to turn off McAfee.

Get Process Explorer

http://live.sysinter...com/procexp.exe

Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator). Click once or twice on the Private Bytes column header to sort things by Memory usage with the big hitters at the top. File, Save As, Save. Open the file Procexp.txt on your desktop and copy and paste the text to a reply. Wait a minute or two and repeat the File, Save As, Save but give it a different name say Procexp1.txt. Open the file Procexp1.txt on your desktop and copy and paste the text to a reply too.

Ron
  • 0

#15
paulgleave

paulgleave

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Hi Ron, Hope your have a good weekend, I did get to run GMER and have saved the log below. So I will wait to run George again till I hear from you. I will run Process Explorer when I have finished here.
Kindest Regards
Paul

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-23 10:11:25
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c WDC_WD2500JB-00REA0 rev.20.00K20
Running: f18tukro.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\kwkdrfod.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7295D70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7295D84]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7295DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7295E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF7295D5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7295D34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7295D48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF7295D9A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF7295DDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7295DC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF7295E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF7295E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7295DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504B08 7 Bytes JMP F7295DF4 mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6BEA380, 0x2468FD, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01200FEF
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0120002F
.text C:\WINDOWS\system32\svchost.exe[864] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01200014
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011F0000
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011F0F4B
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011F0F5C
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011F0F77
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011F0F94
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011F0FB6
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011F0F15
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011F0F26
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011F008C
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011F0EF3
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011F0ECE
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011F0FA5
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011F0FE5
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011F0051
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011F0022
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011F0011
.text C:\WINDOWS\system32\svchost.exe[864] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011F0F04
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01220FC3
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0122004A
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01220FDE
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01220FEF
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01220039
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01220000
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01220F8D
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [42, 89]
.text C:\WINDOWS\system32\svchost.exe[864] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01220FA8
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01210F86
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!system 77C293C7 5 Bytes JMP 01210F97
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01210FBC
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01210FE3
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01210011
.text C:\WINDOWS\system32\svchost.exe[864] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01210000
.text C:\WINDOWS\system32\services.exe[1032] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[1032] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00040FCD
.text C:\WINDOWS\system32\services.exe[1032] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00040FDE
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D50F8F
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D5007A
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D50069
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D50FAC
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D50033
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D50F74
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D500BA
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D50F59
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D500F2
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D5010D
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D50058
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D50011
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D500A9
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D50022
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D50FD1
.text C:\WINDOWS\system32\services.exe[1032] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D500D7
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FE5
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0007005B
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[1032] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060036
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FC6
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[1032] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[1032] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\lsass.exe[1044] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\lsass.exe[1044] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F20FDE
.text C:\WINDOWS\system32\lsass.exe[1044] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E40FAF
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E40FC0
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E4009A
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E4007D
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E40051
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E400DA
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E400BF
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E40106
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E40F63
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E40F52
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E40062
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E4001B
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E40F94
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E40FE5
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E4002C
.text C:\WINDOWS\system32\lsass.exe[1044] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E400EB
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E10FC3
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E10F86
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E10FDE
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E10FEF
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E10F97
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E1000A
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E10039
.text C:\WINDOWS\system32\lsass.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E10FB2
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E00F8B
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E00FA6
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E0000C
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E00FEF
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E00FC1
.text C:\WINDOWS\system32\lsass.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E00FD2
.text C:\WINDOWS\system32\lsass.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F40FCD
.text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F40FDE
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30F8D
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30078
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F3005B
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30F9E
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30036
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F300BA
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F300A9
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F2B
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F30F3C
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F300DF
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30FAF
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F30F7C
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F30F57
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F70040
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F70FC0
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FE5
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F7001B
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70087
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F7000A
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F70062
.text C:\WINDOWS\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F70051
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60036
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F60025
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F60FBC
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F60FAB
.text C:\WINDOWS\system32\svchost.exe[1220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60FE3
.text C:\WINDOWS\system32\svchost.exe[1220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F50000
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C40022
.text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C40011
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C30F81
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30F9C
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30FAD
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30076
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30051
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C30F53
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C3009B
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30F16
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C30F27
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C300CA
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30FCA
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C30F70
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C30F42
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70FC0
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F83
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70F94
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FAF
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[1272] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70036
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60F9C
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60FB7
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C6000C
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60027
.text C:\WINDOWS\system32\svchost.exe[1272] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60FD2
.text C:\WINDOWS\system32\svchost.exe[1272] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\System32\svchost.exe[1396] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 03020FEF
.text C:\WINDOWS\System32\svchost.exe[1396] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 03020014
.text C:\WINDOWS\System32\svchost.exe[1396] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 03020FD4
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03010FEF
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0301005F
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0301004E
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0301003D
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0301002C
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03010FA5
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03010F3C
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03010F4D
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 030100B0
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03010F17
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03010EFC
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03010F8A
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03010000
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0301007A
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0301001B
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03010FC0
.text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0301009F
.text C:\WINDOWS\System32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0207002C
.text C:\WINDOWS\System32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02070FAC
.text C:\WINDOWS\System32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02070FDB
.text C:\WINDOWS\System32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02070011
.text C:\WINDOWS\System32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02070069
.text C:\WINDOWS\System32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02070000
.text C:\WINDOWS\System32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0207004E
.text C:\WINDOWS\System32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0207003D
.text C:\WINDOWS\System32\svchost.exe[1396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02060F9E
.text C:\WINDOWS\System32\svchost.exe[1396] msvcrt.dll!system 77C293C7 5 Bytes JMP 02060033
.text C:\WINDOWS\System32\svchost.exe[1396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02060FCD
.text C:\WINDOWS\System32\svchost.exe[1396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02060FEF
.text C:\WINDOWS\System32\svchost.exe[1396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02060018
.text C:\WINDOWS\System32\svchost.exe[1396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02060FDE
.text C:\WINDOWS\System32\svchost.exe[1396] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02050FEF
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 02040FEF
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 02040FCA
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 02040FB9
.text C:\WINDOWS\System32\svchost.exe[1396] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 0204000A
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00640011
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00630087
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0063006C
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00630F9E
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00630051
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00630FB9
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006300A4
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00630F5C
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006300DA
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006300BF
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00630F30
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00630040
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00630FE5
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00630F77
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00630025
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00630FCA
.text C:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00630F41
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00660036
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0066007D
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00660FE5
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00660062
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00660051
.text C:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00650F90
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00650011
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00650FC6
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00650FA1
.text C:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00650FD7
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00790014
.text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00790FD4
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780065
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780F66
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780040
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780025
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780F9E
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F38
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780F49
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007800B6
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F1D
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007800C7
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780F8D
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780076
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FAF
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0078009B
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00950FCA
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00950FA5
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0095001B
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0095000A
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00950062
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00950FE5
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00950047
.text C:\WINDOWS\system32\svchost.exe[1496] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00950036
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00940FA8
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!system 77C293C7 5 Bytes JMP 00940FB9
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00940018
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00940FEF
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00940029
.text C:\WINDOWS\system32\svchost.exe[1496] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00940FDE
.text C:\WINDOWS\system32\svchost.exe[1496] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 009E0FE5
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 009E0011
.text C:\WINDOWS\system32\svchost.exe[1684] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D000A
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F8B
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0F9C
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D0FB9
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0076
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D0091
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0F49
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0F24
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D00B3
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D0F13
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0025
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D0F70
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D0051
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0036
.text C:\WINDOWS\system32\svchost.exe[1684] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D00A2
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A10011
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A10F8A
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A10047
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A10FE5
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A10036
.text C:\WINDOWS\system32\svchost.exe[1684] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A10FA5
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A00FAF
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A0003A
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A00029
.text C:\WINDOWS\system32\svchost.exe[1684] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A0000C
.text C:\WINDOWS\system32\svchost.exe[1684] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0FEF
.text C:\WINDOWS\Explorer.EXE[1824] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0009000A
.text C:\WINDOWS\Explorer.EXE[1824] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090FEF
.text C:\WINDOWS\Explorer.EXE[1824] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0009001B
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0060
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0F61
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F72
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0F83
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FAF
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B0F2E
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F3F
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00AC
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B009B
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B00C7
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0F94
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F50
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B001B
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\Explorer.EXE[1824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F1D
.text C:\WINDOWS\Explorer.EXE[1824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A002F
.text C:\WINDOWS\Explorer.EXE[1824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0080
.text C:\WINDOWS\Explorer.EXE[1824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A000A
.text C:\WINDOWS\Explorer.EXE[1824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\Explorer.EXE[1824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0065
.text C:\WINDOWS\Explorer.EXE[1824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FE5
.text C:\WINDOWS\Explorer.EXE[1824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A004A
.text C:\WINDOWS\Explorer.EXE[1824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0FC3
.text C:\WINDOWS\Explorer.EXE[1824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B0FAD
.text C:\WINDOWS\Explorer.EXE[1824] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FBE
.text C:\WINDOWS\Explorer.EXE[1824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B002E
.text C:\WINDOWS\Explorer.EXE[1824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[1824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0FD9
.text C:\WINDOWS\Explorer.EXE[1824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B001D
.text C:\WINDOWS\Explorer.EXE[1824] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\Explorer.EXE[1824] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002D0000
.text C:\WINDOWS\Explorer.EXE[1824] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002D0011
.text C:\WINDOWS\Explorer.EXE[1824] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 002D0022
.text C:\WINDOWS\Explorer.EXE[1824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01580FEF
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 00910000
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 0091001B
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FE5
.text C:\WINDOWS\system32\svchost.exe[1952] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F6F
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0090006E
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900051
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900036
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900025
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900F4D
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F5E
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009000CB
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00900F32
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00900F17
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900F94
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00900089
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\svchost.exe[1952] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009000B0
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF002F
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0087
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF0FDE
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0076
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BF005B
.text C:\WINDOWS\system32\svchost.exe[1952] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0040
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0FA6
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0027
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FC1
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0016
.text C:\WINDOWS\system32\svchost.exe[1952] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00920FDE
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00920FCD
.text C:\WINDOWS\system32\svchost.exe[1952] WININET.dll!InternetOpenUrlW 3D9A6D5F 5 Bytes JMP 00920FB2
.text C:\WINDOWS\system32\svchost.exe[1952] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00640000
.text C:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00640FE5
.text C:\WINDOWS\system32\svchost.exe[2020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00640011
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00630FE5
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00630080
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00630F95
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00630FB2
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00630FC3
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0063004A
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006300C2
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006300A5
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006300EE
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006300DD
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006300FF
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00630065
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00630F7A
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0063002F
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00630FD4
.text C:\WINDOWS\system32\svchost.exe[2020] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00630F5F
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00850FB9
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0085005E
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00850FDE
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0085000A
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00850F97
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00850FEF
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00850FA8
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A5, 88]
.text C:\WINDOWS\system32\svchost.exe[2020] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0085002F
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00660F9A
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!system 77C293C7 5 Bytes JMP 00660025
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00660FC6
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00660FAB
.text C:\WINDOWS\system32\svchost.exe[2020] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[2020] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\SearchIndexer.exe[3140] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[564] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [0040A4B0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[564] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0040A510] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\[email protected] 0xE7 0x15 0x8E 0xEC ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\[email protected] 0xE7 0x15 0x8E 0xEC ...

---- EOF - GMER 1.0.15 ----
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP