Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Exploit trojans?


  • Please log in to reply

#1
dantemic1

dantemic1

    Member

  • Member
  • PipPip
  • 16 posts
Hi,

I recently ran a scan using the Microsoft Security scanner and it said that it partially removed a few things and they are Exploit: JS/MULTDC , Exploit:win32/Pdfjsc.GG, and Exploit:win32/Pdfjsc.KJ. Before I posted I did download OTL but when I would do the quick scan about 4 seconds into the scan it would stop responding and I did try to do it a few times but it kept doing the same thing so I decided to do the scan in safe mode and here is what I got from that. Oh and I would also like to mention that before I came here to post this in the forum I attempted to do a factory restore but when I put the disk in it said that it did not detect any back up disks. I don’t really know if a virus can prevent the computer from reading my disk or not but thought that I would let you know about that as well. Oh and I do have keys on my keyboard that stopped working and there are a couple that will stop working and then will start working. A couple of the keys that stopped working for a little bit were the f5 and f8 keys. I appreciate any and all help that you can give me. Thanks :)

OTL logfile created on: 10/20/2011 12:05:22 AM - Run 2
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Users\cliff\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.99 Gb Total Physical Memory | 1.56 Gb Available Physical Memory | 78.39% Memory free
4.21 Gb Paging File | 3.94 Gb Available in Paging File | 93.56% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 54.79 Gb Free Space | 49.67% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: cliff | Logged in as Administrator.
Boot Mode: SafeMode | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/10/19 23:41:58 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Users\cliff\Downloads\OTL (1).exe
PRC - [2009/04/11 01:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/01/20 21:24:02 | 000,498,176 | ---- | M] (Microsoft Corporation) -- C:\Windows\HelpPane.exe


========== Modules (No Company Name) ==========


========== Win32 Services (SafeList) ==========

SRV - [2011/10/20 00:03:29 | 000,017,408 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\rpcnetp.exe -- (rpcnetp)
SRV - [2011/10/06 16:41:16 | 000,166,024 | ---- | M] () [Unknown | Stopped] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/19 15:59:30 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2011/08/19 15:55:34 | 000,160,344 | ---- | M] () [Unknown | Stopped] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/08/12 17:13:26 | 000,087,040 | ---- | M] () [Auto | Stopped] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
SRV - [2011/06/06 12:55:28 | 000,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Stopped] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/03/17 16:38:42 | 000,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/02/24 21:08:34 | 000,566,688 | ---- | M] (Affinegy, Inc.) [Auto | Stopped] -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe -- (AffinegyService)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Unknown | Stopped] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/04/13 21:11:14 | 000,229,688 | ---- | M] (McAfee, Inc.) [Auto | Stopped] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/03/18 11:19:26 | 000,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/12/07 19:29:44 | 000,055,016 | ---- | M] (Xobni Corporation) [Auto | Stopped] -- C:\Program Files\Xobni\XobniService.exe -- (XobniService)
SRV - [2008/11/09 15:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Stopped] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/09/05 11:52:32 | 003,220,856 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
SRV - [2008/05/05 17:25:46 | 000,165,416 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/02/21 17:02:53 | 000,238,968 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2008/01/21 18:54:46 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/20 21:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/17 18:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 16:07:14 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Stopped] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 19:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 20:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Stopped] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/30 02:35:40 | 000,937,984 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2007/10/23 19:27:16 | 000,066,928 | ---- | M] () [Auto | Stopped] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/09/28 19:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Stopped] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/01/25 21:47:50 | 000,136,816 | ---- | M] () [Auto | Stopped] -- C:\Toshiba\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/10/05 15:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Stopped] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/08/15 10:00:06 | 000,461,864 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/08/15 10:00:06 | 000,338,040 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/08/15 10:00:06 | 000,180,072 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/08/15 10:00:06 | 000,164,776 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2011/08/15 10:00:06 | 000,119,808 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/08/15 10:00:06 | 000,087,808 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/08/15 10:00:06 | 000,064,712 | ---- | M] (McAfee, Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2011/08/15 10:00:06 | 000,059,288 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/08/15 10:00:06 | 000,057,432 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/06/23 10:23:44 | 000,023,040 | ---- | M] (Windows ® Win 7 DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\htcnprot.sys -- (htcnprot)
DRV - [2010/04/13 21:10:22 | 000,054,776 | ---- | M] (Mozy, Inc.) [File_System | System | Stopped] -- C:\Windows\System32\drivers\MOBK.sys -- (MOBKFilter)
DRV - [2009/11/04 17:54:12 | 000,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 17:53:40 | 000,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/09/21 10:43:50 | 000,123,776 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ss_mdm.sys -- (ss_mdm)
DRV - [2009/09/21 10:43:48 | 000,098,560 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ss_bus.sys -- (ss_bus) SAMSUNG Mobile USB Device 1.0 driver (WDM)
DRV - [2009/09/21 10:43:48 | 000,014,848 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ss_mdfl.sys -- (ss_mdfl)
DRV - [2009/09/02 04:09:24 | 000,176,128 | ---- | M] (Realtek ) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2009/06/10 00:49:32 | 000,024,576 | ---- | M] (HTC, Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ANDROIDUSB.sys -- (HTCAND32)
DRV - [2008/10/09 15:42:42 | 000,017,408 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\KMWDFILTER.sys -- (KMWDFILTER)
DRV - [2008/07/29 05:05:04 | 000,919,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2008/01/21 17:42:24 | 000,285,184 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32)
DRV - [2008/01/20 21:23:20 | 002,225,664 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\NETw3v32.sys -- (NETw3v32) Intel®
DRV - [2007/11/09 16:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ)
DRV - [2007/10/02 14:43:22 | 000,064,128 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2007/08/31 19:43:32 | 000,020,352 | ---- | M] (Atheros Communications, Inc.) [Kernel | System | Stopped] -- C:\Windows\System32\drivers\jswpslwf.sys -- (jswpslwf)
DRV - [2007/02/02 05:00:00 | 000,009,464 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\Windows\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2007/02/02 05:00:00 | 000,009,336 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\Windows\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2007/01/24 17:44:06 | 000,290,304 | ---- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tifm21.sys -- (tifm21)
DRV - [2006/11/28 18:11:00 | 001,161,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2006/11/09 00:32:00 | 000,219,264 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10i.sys -- (KR10I)
DRV - [2006/11/09 00:31:00 | 000,211,072 | ---- | M] (TOSHIBA CORPORATION) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\kr10n.sys -- (KR10N)
DRV - [2006/10/23 19:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/18 14:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2006/10/10 22:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tosporte.sys -- (tosporte)
DRV - [2006/08/30 11:35:58 | 000,140,800 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2006/07/28 19:25:26 | 000,019,456 | ---- | M] (COMPAL ELECTRONIC INC.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\LPCFilter.sys -- (LPCFilter)
DRV - [2002/10/01 16:43:32 | 000,119,798 | ---- | M] (SP) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\SPCA561.SYS -- (CA561)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: - No CLSID value found
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {b843a48a-b70f-45cd-a15a-6c2b30c2c11e} - C:\Program Files\Gamers Unite! Snag Bar\Helper.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@emusic.com/dlm-plugin: C:\Program Files\eMusic Download Manager\plugin\npemusic.dll (eMusic.com)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: c:\progra~1\mcafee\msc\npmcsn~1.dll ()
FF - HKLM\Software\MozillaPlugins\@mcafee.com/MVT: C:\Program Files\McAfee\Supportability\MVT\NPMVTPlugin.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.5: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3538.0513: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@RIM.com/WebSLLauncher,version=1.0: C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll ()
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@emusic.com/dlm-plugin: C:\Program Files\eMusic Download Manager\plugin\npemusic.dll (eMusic.com)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Users\cliff\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Users\cliff\AppData\Local\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Users\cliff\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2010/02/15 20:19:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2011/09/15 10:40:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{B728AB94-9BC7-49b7-B76A-422BB31B2FD0}: C:\Program Files\ArcSoft\Media Converter for Philips\Internet Video Downloader\Plugin_FireFox [2009/11/27 16:32:14 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2011/09/26 17:43:03 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2011/10/19 09:33:42 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/10 12:17:09 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/15 10:40:04 | 000,000,000 | ---D | M]

[2011/04/19 09:13:10 | 000,000,000 | ---D | M] (No name found) -- C:\Users\cliff\AppData\Roaming\mozilla\Extensions
[2009/10/06 18:24:08 | 000,000,000 | ---D | M] (No name found) -- C:\Users\cliff\AppData\Roaming\mozilla\Extensions\[email protected]
[2009/03/22 18:59:20 | 000,000,000 | ---D | M] (No name found) -- C:\Users\cliff\AppData\Roaming\mozilla\Extensions\[email protected]
[2008/12/24 20:24:42 | 000,000,000 | ---D | M] (No name found) -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\extensions
[2008/12/24 20:24:42 | 000,000,000 | ---D | M] ("Ask Toolbar for Firefox") -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2011/08/22 15:55:06 | 000,000,000 | ---D | M] (No name found) -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\Profiles\hrl7wxku.default\extensions
[2011/07/31 19:38:35 | 000,000,000 | ---D | M] (Mafia Mofo Tools Community Toolbar) -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\Profiles\hrl7wxku.default\extensions\{60e2adb1-527c-4b38-becd-70dc757b57ca}
[2011/08/10 08:27:43 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\Profiles\hrl7wxku.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/04/19 10:44:08 | 000,000,000 | ---D | M] (Conduit Engine) -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\Profiles\hrl7wxku.default\extensions\[email protected]
[2011/06/14 18:24:21 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/19 09:13:26 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/05/20 18:02:25 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/06 17:31:44 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/22 01:35:00 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/23 19:45:56 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/02 11:25:47 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/06/14 18:24:22 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2010/02/15 20:19:34 | 000,000,000 | ---D | M] (eMusic - Apple iTunes Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\[email protected]
[2010/02/15 20:19:34 | 000,000,000 | ---D | M] (eMusic - Nullsoft Winamp Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\[email protected]
[2010/02/15 20:19:34 | 000,000,000 | ---D | M] (eMusic - Microsoft Media Player Support) -- C:\PROGRAM FILES\EMUSIC DOWNLOAD MANAGER\XULRUNNER\EXTENSIONS\[email protected]
[2011/04/30 12:55:41 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/04/14 14:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2011/05/04 04:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/01/04 12:52:04 | 000,002,024 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml

========== Chrome ==========

CHR - default_search_provider: Yahoo! (Enabled)
CHR - default_search_provider: search_url = http://search.yahoo....p={searchTerms}
CHR - default_search_provider: suggest_url = http://ff.search.yah...d={searchTerms}
CHR - plugin: Shockwave Flash (Enabled) = C:\Users\cliff\AppData\Local\Google\Chrome\Application\14.0.835.202\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java™ Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60531.0\npctrl.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Microsoft\u00AE Windows Media Player Firefox Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
CHR - plugin: Microsoft Office Live Plug-in for Firefox (Enabled) = C:\Program Files\Microsoft\Office Live\npOLW.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Users\cliff\AppData\Local\Google\Chrome\Application\14.0.835.202\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Users\cliff\AppData\Local\Google\Chrome\Application\14.0.835.202\pdf.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Users\cliff\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.40.135.1_0\McChPlg.dll
CHR - plugin: McAfee SiteAdvisor (Enabled) = C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll
CHR - plugin: RIM Handheld Application Loader (Enabled) = C:\Program Files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.69\npGoogleUpdate3.dll
CHR - plugin: McAfee Virtual Technician (Enabled) = C:\Program Files\McAfee\Supportability\MVT\NPMVTPlugin.dll
CHR - plugin: Windows Live\u0099 Photo Gallery (Enabled) = C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll
CHR - plugin: eMusic Remote Plugin (Enabled) = C:\Program Files\eMusic Download Manager\plugin\npemusic.dll
CHR - plugin: BrowserPlus (from Yahoo!) v2.9.8 (Enabled) = C:\Users\cliff\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: McAfee SecurityCenter (Enabled) = c:\progra~1\mcafee\msc\npmcsn~1.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Angry Birds = C:\Users\cliff\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.1.2_0\
CHR - Extension: SiteAdvisor = C:\Users\cliff\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho\3.40.135.1_0\
CHR - Extension: ShopAtHome.com extension = C:\Users\cliff\AppData\Local\Google\Chrome\User Data\Default\Extensions\igapgnpnmadafimalefljcfplikonjpp\6.0.0.1_0\
CHR - Extension: Pink Sunset Beach = C:\Users\cliff\AppData\Local\Google\Chrome\User Data\Default\Extensions\oefjaclpakkofpcfabmkmdafjhkamhha\1.0_0\

O1 HOSTS File: ([2006/09/18 16:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll (Yahoo! Inc.)
O2 - BHO: (IEPlugin Class) - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\Program Files\ArcSoft\Media Converter for Philips\Internet Video Downloader\ArcURLRecord.dll (ArcSoft, Inc.)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Gamers Unite! Snag Bar BHO) - {26A7CA19-7D58-411D-B2DA-F1B0324CBFFC} - C:\Program Files\Gamers Unite! Snag Bar\Toolbar.dll ()
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111010183406.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Gamers Unite! Snag Bar) - {25515A79-C1C7-4B97-97F8-31A711694487} - C:\Program Files\Gamers Unite! Snag Bar\Toolbar.dll ()
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Gamers Unite! Snag Bar) - {25515A79-C1C7-4B97-97F8-31A711694487} - C:\Program Files\Gamers Unite! Snag Bar\Toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Zynga Toolbar) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [HTC Sync Loader] C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe ()
O4 - HKLM..\Run: [HWSetup] \HWSetup.exe hwSetUP File not found
O4 - HKLM..\Run: [InstaLAN] C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe (Affinegy, Inc.)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [KeNotify] C:\Program Files\Toshiba\Utilities\KeNotify.exe ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NDSTray.exe] NDSTray.exe File not found
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA)
O4 - HKLM..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe" File not found
O4 - HKCU..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler File not found
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Users\cliff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Advanced Registry Optimizer.lnk = File not found
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{3CB2F5AF-F074-4025-A108-F0426A2D2CB2}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{8D88C236-4AC9-480F-BFAA-4A1E7E86EF0B}: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D02AC04E-401A-437A-883E-38D4A27837C6}: DhcpNameServer = 192.168.100.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) -C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) -C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) -C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\cliff\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\cliff\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{b1e83d98-9545-11dd-934b-001eec3a14ac}\Shell - "" = AutoRun
O33 - MountPoints2\{b1e83d98-9545-11dd-934b-001eec3a14ac}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk /p \??\C:)
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/10/19 09:34:03 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/10/19 09:31:34 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{C15215DD-7CCA-4728-A5FD-849B5EDC8816}
[2011/10/19 09:30:48 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{85D08518-EA6B-4EC1-8A5A-D8563036A47A}
[2011/10/18 15:12:04 | 000,000,000 | ---D | C] -- C:\Users\cliff\FrostWire
[2011/10/18 15:11:57 | 000,000,000 | ---D | C] -- C:\Users\cliff\.frostwire5
[2011/10/18 15:11:47 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\FrostWire 5
[2011/10/18 15:11:22 | 000,000,000 | ---D | C] -- C:\Program Files\FrostWire 5
[2011/10/18 09:02:37 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{6107E1D9-16FF-4930-8F4F-563D382F730E}
[2011/10/18 09:01:53 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{A400EF27-A4AA-4F2D-92F5-E8B0E25F9841}
[2011/10/17 12:42:20 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{D7A0018D-6C4C-4371-8BC4-33D5DE270758}
[2011/10/17 12:28:55 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{66B281E1-3959-42CC-9245-6EF15DE154A6}
[2011/10/17 11:38:44 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{340F2065-6D43-4AB7-B0C8-56DBA5CBCD17}
[2011/10/17 10:56:14 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{12709EB9-7E08-4DA6-BB05-56EB12A2BC0C}
[2011/10/17 09:03:07 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{5F74BB48-9CFE-4AF8-AEFC-1A37B041AC65}
[2011/10/16 09:08:29 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{AC19F888-2A8B-4BE3-8A6F-942712854314}
[2011/10/16 09:08:15 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{B6809392-A981-49BA-A9E1-4F262DF74136}
[2011/10/15 11:27:58 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{404CDF3A-CAA3-4706-80B4-5462A0D71988}
[2011/10/15 11:27:35 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{38CBC8DA-A1D4-482F-A0F2-7539D1E26E0C}
[2011/10/15 04:58:45 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{B79B5F9A-D7BB-4BFC-8A62-F82C3BE92E78}
[2011/10/13 11:54:30 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Belkin
[2011/10/13 11:54:04 | 000,000,000 | ---D | C] -- C:\Program Files\Belkin
[2011/10/13 11:54:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Affinegy
[2011/10/13 08:41:09 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{69BD1929-0C45-496A-8502-8C95F8E77679}
[2011/10/12 11:04:09 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\Htc
[2011/10/12 11:02:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HTC Sync
[2011/10/12 10:12:23 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{E2546B3C-BF64-44F1-9B09-0B965F429BD3}
[2011/10/12 10:12:00 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{A0794D4B-8FD6-4125-ACD2-3B85BF3937DA}
[2011/10/11 15:03:49 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{EE6627A2-6D80-4DCD-B840-2744B0961A9A}
[2011/10/11 15:03:23 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{DF64BF8C-0598-4EE9-A29B-28B98FD173C1}
[2011/10/10 19:27:55 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{B5F38D30-C43B-4412-9CEF-8EC8848B096A}
[2011/10/10 14:45:44 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{D4563C46-5779-4CF5-8980-433CAC8949F9}
[2011/10/09 02:36:55 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{66DBBE81-C5E9-4BF4-8E14-E66085872668}
[2011/10/09 02:36:30 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{C1551FC5-58AB-4D40-A437-57520F1B3F2A}
[2011/10/08 13:19:12 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{2F112A41-CBAB-4B06-B726-FE548D6F548A}
[2011/10/08 13:18:27 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{C2527165-75F7-42D6-8420-19C78F1BE8EB}
[2011/10/08 03:01:51 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{AB18364B-3F1C-40DD-9B43-42B6F578268B}
[2011/10/08 03:00:57 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{1B240C85-F723-46D6-BF74-7682E5E1E193}
[2011/10/07 09:01:03 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{7B73E683-7BAC-407D-861F-E0A6AAF88B1C}
[2011/10/07 09:00:41 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{EAACB83B-D0B5-4EA7-8091-B57C0585F35F}
[2011/10/06 11:54:02 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{DBD52F9B-12AB-4F76-8821-788C013175D7}
[2011/10/06 11:53:37 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{95F70BCB-E6C8-4110-9F20-46F38DD6A5D1}
[2011/10/05 09:01:52 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{9FB54A99-6D87-48E6-A9B8-3047E9FF8F1F}
[2011/10/05 09:01:19 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{E4D8AFB9-63DE-45FE-8277-EAFDA8D64E00}
[2011/10/04 09:18:07 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{D5682E21-DAA4-4D60-A82E-F317FE6FB284}
[2011/10/04 09:17:44 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{B9BEC51C-23D3-422A-9BFF-048E3DAD8F8D}
[2011/10/03 18:31:09 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{E6426A9F-02F8-4337-BCDD-816D32DADC71}
[2011/10/02 05:20:26 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{E26B8A3E-546B-43DE-9E25-AB257467A99B}
[2011/10/02 05:19:57 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{791E9CD8-2C28-43D2-A84B-9E060FB736F0}
[2011/10/01 08:18:16 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{DDBFC33C-6055-4DD4-A28E-72CF1EC2FD4A}
[2011/10/01 08:17:47 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{41FF0879-182C-4190-91A0-961E62EBA580}
[2011/09/30 08:09:27 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{9D3893B2-D38A-4449-8F7F-6143D48F4787}
[2011/09/30 08:09:01 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{C8FC7A7C-A743-4C99-BB5B-1E60B7749A60}
[2011/09/28 10:01:45 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{91139F20-E03F-48C2-85C7-0FA91B45414B}
[2011/09/28 09:49:18 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{3556E238-3C9C-43A2-A9BF-C29EEACEC901}
[2011/09/28 09:37:45 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{FC55BEB5-D7D6-483F-9D89-0D7048A1709C}
[2011/09/27 08:15:19 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{4345CFEA-C16F-43E7-A948-EA030FDE6436}
[2011/09/27 08:14:49 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{6AFBF299-5A91-40A4-9514-5B4F71AEF2E1}
[2011/09/26 09:19:43 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{F6BCBBC0-3F35-4FD3-968B-207705F05C9D}
[2011/09/26 09:19:13 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{312AF3F9-05B0-4BCD-9FDA-703E28B5AC9E}
[2011/09/25 15:32:15 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{1DD0FECE-E9F3-4EDC-BB1D-A2C194CFB1EE}
[2011/09/25 15:31:52 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{F8387977-94FC-44E1-8AFD-3E48122A5D58}
[2011/09/24 23:26:18 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{25587459-4600-4585-9D6B-B4A878CA70C9}
[2011/09/23 09:51:30 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{6038B4B4-3536-42B0-BAE1-19E825419DF8}
[2011/09/23 09:51:05 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{C23306C9-C442-460C-8C4A-13BADBF7BC3D}
[2011/09/22 10:41:31 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{6A56F3B0-9B86-4AC5-AD0D-A809F0614C69}
[2011/09/22 10:41:07 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{9A3A821A-DE62-4DED-9BA3-B4AF20F6A74F}
[2011/09/21 13:01:18 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{DCDE7579-420D-4C40-BFC1-1890CE665CCC}
[2011/09/20 22:18:57 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{4C1AA102-35C3-4D6F-AFB9-6CACBD676540}
[2011/09/20 22:18:21 | 000,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{270CE404-993E-4009-9BBF-2626402DD1C8}
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2 C:\Users\cliff\AppData\Local\*.tmp files -> C:\Users\cliff\AppData\Local\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/10/20 00:03:57 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/10/20 00:03:29 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.exe
[2011/10/20 00:02:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/10/20 00:02:03 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/10/19 23:50:20 | 000,000,847 | ---- | M] () -- C:\Users\cliff\Desktop\OTL (1).exe - Shortcut.lnk
[2011/10/19 23:45:00 | 000,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2883493492-1982095606-3702794389-1000UA.job
[2011/10/19 23:04:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/10/19 20:04:02 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/10/19 18:57:09 | 000,002,024 | ---- | M] () -- C:\Windows\MOBK.blk
[2011/10/19 18:57:09 | 000,000,802 | ---- | M] () -- C:\Windows\MOBK.flt
[2011/10/19 10:15:18 | 000,044,544 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\agremove.exe
[2011/10/19 09:45:01 | 000,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2883493492-1982095606-3702794389-1000Core1cc0223f69c98ab.job
[2011/10/19 09:34:03 | 000,001,702 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Internet Security.lnk
[2011/10/19 09:27:44 | 000,017,408 | ---- | M] () -- C:\Windows\System32\rpcnetp.dll
[2011/10/18 15:11:48 | 000,001,061 | ---- | M] () -- C:\Users\cliff\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 5.1.5.lnk
[2011/10/18 15:11:47 | 000,001,037 | ---- | M] () -- C:\Users\cliff\Desktop\FrostWire 5.1.5.lnk
[2011/10/17 09:56:19 | 000,610,022 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/10/17 09:56:19 | 000,106,228 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/10/14 03:26:06 | 000,418,544 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/10/13 11:54:31 | 000,000,051 | ---- | M] () -- C:\Windows\System32\drivers\etc\lmhosts
[2011/10/12 11:02:56 | 000,000,982 | ---- | M] () -- C:\Users\cliff\Application Data\Microsoft\Internet Explorer\Quick Launch\HTC Sync.lnk
[2011/10/12 11:02:56 | 000,000,958 | ---- | M] () -- C:\Users\Public\Desktop\HTC Sync.lnk
[2011/09/28 23:48:24 | 000,005,864 | ---- | M] () -- C:\Users\cliff\AppData\Local\d3d9caps.dat
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2 C:\Users\cliff\AppData\Local\*.tmp files -> C:\Users\cliff\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/10/20 00:03:27 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.exe
[2011/10/19 23:50:20 | 000,000,847 | ---- | C] () -- C:\Users\cliff\Desktop\OTL (1).exe - Shortcut.lnk
[2011/10/18 15:11:48 | 000,001,061 | ---- | C] () -- C:\Users\cliff\Application Data\Microsoft\Internet Explorer\Quick Launch\FrostWire 5.1.5.lnk
[2011/10/18 15:11:47 | 000,001,037 | ---- | C] () -- C:\Users\cliff\Desktop\FrostWire 5.1.5.lnk
[2011/10/18 08:58:51 | 000,017,408 | ---- | C] () -- C:\Windows\System32\rpcnetp.dll
[2011/10/12 11:02:56 | 000,000,982 | ---- | C] () -- C:\Users\cliff\Application Data\Microsoft\Internet Explorer\Quick Launch\HTC Sync.lnk
[2011/10/12 11:02:56 | 000,000,958 | ---- | C] () -- C:\Users\Public\Desktop\HTC Sync.lnk
[2011/09/27 08:17:34 | 000,001,702 | ---- | C] () -- C:\Users\Public\Desktop\McAfee Internet Security.lnk
[2011/09/16 04:28:58 | 000,000,000 | ---- | C] () -- C:\Users\cliff\AppData\Local\{F1157D44-08CC-4725-AA0E-705D97D4602A}
[2011/09/16 04:26:58 | 000,000,000 | ---- | C] () -- C:\Users\cliff\AppData\Local\{2EEDD777-7511-4A3A-93B5-11B5BFA5C416}
[2011/09/16 04:22:45 | 000,000,000 | ---- | C] () -- C:\Users\cliff\AppData\Local\{0CC20129-1078-45AD-91EA-BFA396AFE21E}
[2011/06/14 11:48:03 | 000,000,000 | ---- | C] () -- C:\Windows\DbgOut.INI
[2010/03/01 15:13:21 | 000,005,864 | ---- | C] () -- C:\Users\cliff\AppData\Local\d3d9caps.dat
[2010/01/24 04:37:41 | 000,002,560 | ---- | C] () -- C:\Windows\_MSRSTRT.EXE
[2009/12/05 22:35:12 | 000,974,848 | ---- | C] () -- C:\Windows\System32\LtDlgRes14n.dll
[2009/12/03 15:07:42 | 000,000,110 | ---- | C] () -- C:\Windows\ULEAD32.INI
[2009/09/23 18:44:41 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/09/23 18:44:39 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/23 18:42:37 | 000,643,072 | ---- | C] () -- C:\Windows\System32\autochk.exe
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 15:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/03/05 07:54:58 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/02/09 20:49:31 | 000,004,096 | -H-- | C] () -- C:\Users\cliff\AppData\Local\keyfile3.drm
[2009/01/17 19:33:36 | 000,007,250 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini
[2009/01/17 19:30:37 | 000,000,067 | ---- | C] () -- C:\Windows\wininit.ini
[2008/12/30 23:26:06 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2008/11/08 21:01:03 | 000,029,184 | ---- | C] () -- C:\Users\cliff\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/07 13:51:29 | 000,119,314 | ---- | C] () -- C:\ProgramData\LUUnInstall.LiveUpdate
[2008/09/13 15:04:30 | 000,000,067 | ---- | C] () -- C:\Windows\swupdate.INI
[2008/08/07 10:12:11 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2008/08/07 09:59:37 | 000,000,013 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2008/08/07 09:59:35 | 000,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2008/02/20 14:16:48 | 000,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/02/20 14:16:48 | 000,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/02/20 14:16:48 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/02/20 14:16:48 | 000,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/02/20 14:16:48 | 000,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/02/20 14:16:48 | 000,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/02/20 14:03:54 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ3.dat
[2008/02/20 14:03:54 | 000,000,176 | ---- | C] () -- C:\Windows\System32\drivers\RTHDAEQ2.dat
[2008/02/20 14:03:54 | 000,000,016 | ---- | C] () -- C:\Windows\System32\drivers\RtkHDAud.dat
[2008/02/18 21:43:23 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/02/18 21:36:45 | 000,036,864 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll
[2008/02/18 21:33:34 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2008/02/18 21:33:34 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2008/02/18 21:33:34 | 000,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2008/02/18 21:33:34 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2008/02/18 20:31:59 | 000,157,040 | ---- | C] () -- C:\Windows\fdbpinger.exe
[2007/12/21 19:46:32 | 000,118,784 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2007/09/13 17:31:06 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/09/13 17:22:46 | 001,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/09/13 17:22:46 | 000,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/09/13 17:11:18 | 000,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 07:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 07:47:37 | 000,418,544 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 07:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 000,610,022 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 05:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 05:33:01 | 000,106,228 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 05:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 05:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 03:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 03:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 02:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2005/11/23 17:55:42 | 000,024,576 | ---- | C] () -- C:\Windows\System32\SPCtl.dll
[2005/07/23 00:30:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== LOP Check ==========

[2010/02/15 20:26:02 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\eMusic
[2009/12/20 01:30:08 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\F-Secure
[2011/10/18 15:10:29 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\FrostWire
[2008/10/06 10:18:47 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\GetRightToGo
[2009/04/27 18:43:10 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\gtk-2.0
[2011/10/12 11:04:30 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\HTC
[2011/04/17 22:48:09 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
[2009/04/28 23:52:48 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Jasc
[2009/12/16 01:31:21 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Opera
[2011/04/21 12:26:02 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Outlook
[2009/06/10 14:05:22 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Pogo Games
[2010/09/18 06:56:14 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Research In Motion
[2010/12/19 16:51:08 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Sammsoft
[2010/11/30 00:18:20 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Skip-Bo
[2011/04/21 12:18:02 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Teleca
[2008/10/12 12:28:03 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\TOSHIBA
[2010/03/01 22:03:13 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Trillian
[2011/03/07 01:33:08 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Ulead Systems
[2008/08/07 12:51:00 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\WildTangent
[2008/11/03 16:39:17 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\WinBatch
[2011/08/27 16:31:19 | 000,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Windows Live Writer
[2011/10/20 00:02:00 | 000,032,544 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\cliff\Documents\BFT MASS ADDS FAST AND FLAWLESS.txt:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\cliff\Documents\base flasher.gif:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\cliff\Documents\2008_Federal_Return.pdf:Roxio EMC Stream
@Alternate Data Stream - 203 bytes -> C:\ProgramData\TEMP:A73EAFFB

< End of report >
  • 0

Advertisements


#2
dantemic1

dantemic1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Wow Still NO help????????????????? :) :yes: :) :) :) :) :) :)
  • 0

#3
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Hello dantemic1,

Busy place, boocoo new requests, limited number of volunteers to help out. So there will be delays. Exploit type malware designations are often code excerpts in maybe legit files that match malware methods. You do have some adware/search hijacker activity showing, and parts of these too may be what's being picked up. You didn't post the second OTL Extras.Txt log, which I will need to see. It should be located in the same place as the OTL.exe file, so please locate and post those contents.

Also let's get a bit more detailed look here.

The system is Vista, so when running any of the scan files we use, be sure to right click the file, then select "Run as administrator" to start the scan/tool.

And To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

----------

Click here and download the installer for Gmer to your desktop, then click that file to run Gmer.


Once the opening scan finishes, click on Scan (again, before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan).

When completed, click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

Note - If Gmer shows it has located infection once it's opening scan completes, do not click the Scan button. We don't want hidden malware settings to cause any problems. Instead, just click on the Copy button and rightclick on your Desktop, choose "New" > Text document. Once the file is created, open it and rightclick again and choose Paste. Copy the information and post it here please.

-----------

Download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Decline a download of avast itself if offered
  • If avast! antivirus is already installed, go to the dropdown next to AV engine: and select (none)
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

A lot, but comprehensive, and will make sure we get a good view of everything.
  • 0

#4
dantemic1

dantemic1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I did the scans that you asked me to do but when I redid the OTL scan I did not see a log for OTL extras.txt. The only log that shows up is the one that I am posting. I looked on the program and didn't see anywhere that I could get the log from either.

OTL logfile created on: 11/5/2011 12:55:18 AM - Run 5
OTL by OldTimer - Version 3.1.26.0 Folder = C:\Users\cliff\Downloads
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 42.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 56.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 110.32 Gb Total Space | 52.96 Gb Free Space | 48.01% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name: cliff
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2011/10/18 09:40:25 | 00,140,952 | ---- | M] (Google Inc.) -- C:\Users\cliff\AppData\Local\Google\Update\1.3.21.79\GoogleCrashHandler.exe
PRC - [2011/10/06 16:41:16 | 00,166,024 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2011/09/16 18:38:10 | 01,318,552 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/08/22 10:01:00 | 00,593,920 | ---- | M] () -- C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe
PRC - [2011/08/19 15:59:30 | 00,148,520 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
PRC - [2011/08/19 15:55:34 | 00,160,344 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2011/08/12 17:13:26 | 00,087,040 | ---- | M] () -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe
PRC - [2011/06/16 07:55:12 | 00,079,160 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
PRC - [2011/06/06 12:55:28 | 00,064,952 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2011/04/08 12:59:52 | 00,254,696 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Common Files\Java\Java Update\jusched.exe
PRC - [2011/03/28 20:31:16 | 00,193,920 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
PRC - [2011/03/28 20:31:14 | 01,713,536 | ---- | M] (Microsoft Corp.) -- C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
PRC - [2011/02/24 21:08:34 | 00,566,688 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe
PRC - [2011/02/24 21:08:32 | 07,034,272 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinSetup.exe
PRC - [2011/02/24 21:08:32 | 01,770,400 | ---- | M] (Affinegy, Inc.) -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe
PRC - [2011/01/27 18:28:14 | 00,214,904 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2010/12/15 23:46:06 | 00,151,056 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\Core\mchost.exe
PRC - [2010/10/27 20:17:52 | 00,207,424 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
PRC - [2010/09/22 12:03:38 | 00,249,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2010/08/25 11:27:44 | 00,309,824 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
PRC - [2010/04/13 21:11:16 | 03,045,176 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKstat.exe
PRC - [2010/04/13 21:11:14 | 00,229,688 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe
PRC - [2010/03/18 11:19:26 | 00,113,152 | ---- | M] (ArcSoft Inc.) -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
PRC - [2010/03/17 14:31:58 | 00,106,496 | R--- | M] (SweetIM Technologies Ltd.) -- C:\Program Files\SweetIM\Messenger\SweetIM.exe
PRC - [2010/01/25 21:29:04 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Users\cliff\Downloads\OTL.exe
PRC - [2010/01/15 07:49:20 | 00,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2009/12/07 19:29:44 | 00,055,016 | ---- | M] (Xobni Corporation) -- C:\Program Files\Xobni\XobniService.exe
PRC - [2009/04/11 01:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/03/20 07:36:58 | 00,210,216 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynToshiba.exe
PRC - [2009/03/20 07:36:38 | 01,451,304 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2009/03/20 07:36:38 | 00,103,720 | ---- | M] (Synaptics Incorporated) -- C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
PRC - [2008/11/09 15:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/10/25 11:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/02/21 17:02:53 | 00,238,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
PRC - [2008/01/29 21:51:52 | 04,911,104 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe
PRC - [2008/01/22 16:25:26 | 00,712,704 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
PRC - [2008/01/21 18:54:46 | 00,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
PRC - [2008/01/20 21:25:33 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2008/01/20 21:23:32 | 01,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2008/01/17 18:27:52 | 00,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
PRC - [2008/01/17 18:27:34 | 00,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
PRC - [2008/01/09 17:02:08 | 01,056,768 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
PRC - [2007/12/25 16:07:14 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe
PRC - [2007/12/25 16:06:52 | 00,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
PRC - [2007/12/03 19:03:52 | 00,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SMARTLogService\TosIPCSrv.exe
PRC - [2007/11/21 20:23:32 | 00,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe
PRC - [2007/10/23 19:27:16 | 00,066,928 | ---- | M] () -- c:\Toshiba\IVP\swupdate\swupdtmr.exe
PRC - [2007/09/28 19:05:16 | 00,128,360 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/09/20 12:58:48 | 00,252,440 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2007/09/20 12:58:44 | 00,129,560 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2007/09/20 12:58:34 | 00,154,136 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2007/06/15 23:01:58 | 00,448,080 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\SmoothView\SmoothView.exe
PRC - [2007/01/25 21:47:50 | 00,136,816 | ---- | M] () -- C:\Toshiba\IVP\ISM\pinger.exe
PRC - [2006/11/06 20:14:44 | 00,034,352 | ---- | M] () -- C:\Program Files\Toshiba\Utilities\KeNotify.exe
PRC - [2006/10/05 15:10:12 | 00,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe
PRC - [2006/08/23 19:39:48 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


========== Modules (SafeList) ==========

MOD - [2011/08/11 16:37:26 | 00,018,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2010/08/31 10:43:52 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll
MOD - [2010/01/25 21:29:04 | 00,547,328 | ---- | M] (OldTimer Tools) -- C:\Users\cliff\Downloads\OTL.exe


========== Win32 Services (SafeList) ==========

SRV - [2011/10/06 16:41:16 | 00,166,024 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/08/31 17:00:48 | 00,366,152 | ---- | M] (Malwarebytes Corporation) [Disabled | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/08/19 15:59:30 | 00,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
SRV - [2011/08/19 15:55:34 | 00,160,344 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe -- (mfefire)
SRV - [2011/08/12 17:13:26 | 00,087,040 | ---- | M] () [Auto | Running] -- C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe -- (PassThru Service)
SRV - [2011/06/06 12:55:28 | 00,064,952 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2011/05/13 15:27:02 | 01,492,840 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2011/03/28 20:31:14 | 01,713,536 | ---- | M] (Microsoft Corp.) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2011/03/17 16:38:42 | 00,361,712 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2011/02/24 21:08:34 | 00,566,688 | ---- | M] (Affinegy, Inc.) [Auto | Running] -- C:\Program Files\Belkin\Router Setup and Monitor\BelkinService.exe -- (AffinegyService)
SRV - [2011/02/22 08:33:09 | 00,797,696 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2011/01/27 18:28:14 | 00,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2011/01/27 18:28:14 | 00,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2011/01/27 18:28:14 | 00,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2011/01/27 18:28:14 | 00,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2011/01/27 18:28:14 | 00,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2011/01/27 18:28:14 | 00,214,904 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2011/01/27 18:28:14 | 00,214,904 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/09/22 16:33:04 | 00,051,040 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Program Files\Windows Live\Mesh\wlcrasvc.exe -- (wlcrasvc)
SRV - [2010/09/22 12:03:38 | 00,249,136 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2010/04/13 21:11:14 | 00,229,688 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee Online Backup\MOBKbackup.exe -- (MOBKbackup)
SRV - [2010/03/18 13:16:28 | 00,753,504 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe -- (WPFFontCache_v0400)
SRV - [2010/03/18 13:16:28 | 00,130,384 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -- (clr_optimization_v4.0.30319_32)
SRV - [2010/03/18 11:19:26 | 00,113,152 | ---- | M] (ArcSoft Inc.) [Auto | Running] -- C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe -- (ACDaemon)
SRV - [2010/02/04 19:24:14 | 00,135,664 | ---- | M] (Google Inc.) [On_Demand | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdatem) Google Update Service (gupdatem)
SRV - [2010/02/04 19:24:14 | 00,135,664 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate) Google Update Service (gupdate)
SRV - [2010/01/15 07:49:20 | 00,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2009/12/07 19:29:44 | 00,055,016 | ---- | M] (Xobni Corporation) [Auto | Running] -- C:\Program Files\Xobni\XobniService.exe -- (XobniService)
SRV - [2009/04/15 22:20:30 | 00,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2008/11/15 00:25:54 | 00,029,744 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-061008-081103)
SRV - [2008/11/09 15:48:14 | 00,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 11:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/09/05 11:52:32 | 03,220,856 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE -- (LiveUpdate)
SRV - [2008/05/05 17:25:46 | 00,165,416 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2008/02/21 17:02:53 | 00,238,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe -- (Automatic LiveUpdate Scheduler)
SRV - [2008/01/21 18:54:46 | 00,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv)
SRV - [2008/01/20 21:23:32 | 00,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/17 18:27:34 | 00,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv)
SRV - [2007/12/25 16:07:14 | 00,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service)
SRV - [2007/12/03 19:03:52 | 00,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service)
SRV - [2007/11/21 20:23:32 | 00,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/10/30 02:35:40 | 00,937,984 | ---- | M] (Atheros Communications, Inc.) [On_Demand | Stopped] -- C:\Program Files\Jumpstart\jswpsapi.exe -- (jswpsapi)
SRV - [2007/10/23 19:27:16 | 00,066,928 | ---- | M] () [Auto | Running] -- c:\Toshiba\IVP\swupdate\swupdtmr.exe -- (Swupdtmr)
SRV - [2007/09/28 19:05:16 | 00,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/01/25 21:47:50 | 00,136,816 | ---- | M] () [Auto | Running] -- C:\Toshiba\IVP\ISM\pinger.exe -- (pinger)
SRV - [2006/11/02 07:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/10/26 17:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2006/10/05 15:10:12 | 00,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2006/08/23 19:39:48 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2004/10/22 04:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.c...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKLM\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
IE - HKCU\..\URLSearchHook: {b843a48a-b70f-45cd-a15a-6c2b30c2c11e} - C:\Program Files\Gamers Unite! Snag Bar\Helper.dll ()
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultthis.engineName: "Mafia Mofo Tools Customized Web Search"
FF - prefs.js..browser.search.defaulturl: "http://search.condui...={searchTerms}"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "www.yahoo.com"
FF - prefs.js..keyword.URL: "http://ws.infospace...._id=62781&qkw="
FF - prefs.js..network.proxy.type: 0


FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Components: C:\Program Files\eMusic Download Manager\xulrunner\components [2010/02/15 20:19:33 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\eMusic Download Manager\Extensions\\Plugins: C:\Program Files\eMusic Download Manager\xulrunner\plugins [2011/09/15 10:40:03 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B728AB94-9BC7-49b7-B76A-422BB31B2FD0}: C:\Program Files\ArcSoft\Media Converter for Philips\Internet Video Downloader\Plugin_FireFox [2009/11/27 16:32:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2011/10/31 19:09:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2011/11/04 23:33:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/05/10 12:17:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 4.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/09/15 10:40:04 | 00,000,000 | ---D | M]

[2011/04/19 09:13:10 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\mozilla\Extensions
[2009/10/06 18:24:08 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\mozilla\Extensions\[email protected]
[2009/03/22 18:59:20 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\mozilla\Extensions\[email protected]
[2008/12/24 20:24:42 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\extensions
[2008/12/24 20:24:42 | 00,000,000 | ---D | M] (No name found) -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\extensions\{E9A1DEE0-C623-4439-8932-001E7D17607D}
[2011/11/04 00:50:29 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\Profiles\hrl7wxku.default\extensions
[2011/11/03 08:26:32 | 00,000,000 | ---D | M] (Mafia Mofo Tools Community Toolbar) -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\Profiles\hrl7wxku.default\extensions\{60e2adb1-527c-4b38-becd-70dc757b57ca}
[2011/11/03 08:26:37 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\Profiles\hrl7wxku.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2011/04/19 10:44:08 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\Profiles\hrl7wxku.default\extensions\[email protected]
[2011/11/04 00:50:29 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\mozilla\Firefox\Profiles\hrl7wxku.default\extensions\staged
[2011/06/19 13:04:44 | 00,000,935 | ---- | M] () -- C:\Users\cliff\AppData\Roaming\Mozilla\FireFox\Profiles\hrl7wxku.default\searchplugins\conduit.xml
[2011/05/11 12:16:12 | 00,001,742 | ---- | M] () -- C:\Users\cliff\AppData\Roaming\Mozilla\FireFox\Profiles\hrl7wxku.default\searchplugins\search-the-web.xml
[2011/06/14 18:24:21 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2011/04/19 09:13:26 | 00,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2010/05/20 18:02:25 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/08/06 17:31:44 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
[2010/10/22 01:35:00 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
[2011/01/23 19:45:56 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/02 11:25:47 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/06/14 18:24:22 | 00,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2011/04/30 12:55:41 | 00,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browsercomps.dll
[2011/04/14 14:01:38 | 00,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2011/05/04 04:52:23 | 00,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2010/01/01 03:00:00 | 00,002,252 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\bing.xml
[2011/11/03 08:27:11 | 00,002,024 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml

O1 HOSTS File: ([2006/09/18 16:41:30 | 00,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll (Yahoo! Inc.)
O2 - BHO: (IEPlugin Class) - {11222041-111B-46E3-BD29-EFB2449479B1} - C:\Program Files\ArcSoft\Media Converter for Philips\Internet Video Downloader\ArcURLRecord.dll (ArcSoft, Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O2 - BHO: (Gamers Unite! Snag Bar BHO) - {26A7CA19-7D58-411D-B2DA-F1B0324CBFFC} - C:\Program Files\Gamers Unite! Snag Bar\Toolbar.dll ()
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\progra~1\mcafee\msk\mskapbho.dll File not found
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20111010183406.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Messenger Companion Helper) - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (SweetIM Toolbar Helper) - {EEE6C35C-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Gamers Unite! Snag Bar) - {25515A79-C1C7-4B97-97F8-31A711694487} - C:\Program Files\Gamers Unite! Snag Bar\Toolbar.dll ()
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn9\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Gamers Unite! Snag Bar) - {25515A79-C1C7-4B97-97F8-31A711694487} - C:\Program Files\Gamers Unite! Snag Bar\Toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Zynga Toolbar) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (SweetIM Toolbar for Internet Explorer) - {EEE6C35B-6118-11DC-9C72-001320C79847} - C:\Program Files\SweetIM\Toolbars\Internet Explorer\mgToolbarIE.dll (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [00TCrdMain] C:\Program Files\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft Inc.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [HTC Sync Loader] C:\Program Files\HTC\HTC Sync 3.0\htcUPCTLoader.exe ()
O4 - HKLM..\Run: [HWSetup] File not found
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [InstaLAN] C:\Program Files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe (Affinegy, Inc.)
O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION)
O4 - HKLM..\Run: [KeNotify] C:\Program Files\Toshiba\Utilities\KeNotify.exe ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NDSTray.exe] File not found
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Skytel] C:\Windows\SkyTel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Common Files\Java\Java Update\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe (TOSHIBA)
O4 - HKLM..\Run: [SweetIM] C:\Program Files\SweetIM\Messenger\SweetIM.exe (SweetIM Technologies Ltd.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics Incorporated)
O4 - HKLM..\Run: [TPwrMain] C:\Program Files\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe File not found
O4 - HKCU..\Run: [Google Update] C:\Users\cliff\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
O4 - HKCU..\Run: [ISUSPM] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe File not found
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [Spotify] C:\Users\cliff\AppData\Roaming\Spotify\Spotify.exe (Spotify Ltd)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O4 - Startup: C:\Users\cliff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Advanced Registry Optimizer.lnk = C:\Program Files\Advanced Registry Optimizer\ARO.exe File not found
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll (Google Inc.)
O9 - Extra Button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll (Microsoft Corporation)
O9 - Extra Button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab (Microsoft Office Template and Media Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.ma...r/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_26)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlpg {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll (Microsoft Corporation)
O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - c:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Users\cliff\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\cliff\AppData\Roaming\Microsoft\Windows Live Photo Gallery\Windows Live Photo Gallery Wallpaper.jpg
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{b1e83d98-9545-11dd-934b-001eec3a14ac}\Shell - "" = AutoRun
O33 - MountPoints2\{b1e83d98-9545-11dd-934b-001eec3a14ac}\Shell\AutoRun\command - "" = F:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk /p \??\C:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

========== Files/Folders - Created Within 14 Days ==========

[2011/11/04 23:31:43 | 00,100,864 | ---- | C] (GMER) -- C:\fgtdipow.sys
[2011/11/04 23:25:53 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{2B0C3DA1-57EB-4ADE-B39B-5D707333EC3A}
[2011/11/04 03:50:07 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{62620A39-3EB0-443E-921E-3F35D0CD4DB7}
[2011/11/04 03:49:54 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{4B86D02A-7760-4F66-A617-A2ADCB849B67}
[2011/11/03 14:30:35 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\Spotify
[2011/11/03 14:30:19 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Roaming\Spotify
[2011/11/03 07:02:34 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{52A67EB2-5010-4FE9-93B5-D766C64FC392}
[2011/11/03 07:02:10 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{B0D8F4CE-B807-41AC-AA63-3FB205BC4561}
[2011/11/02 18:39:30 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{A5342B85-5637-44D2-A043-6B89A78F34FC}
[2011/11/02 09:27:35 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{CF392AB0-F462-4460-A69B-42E613E982D4}
[2011/11/01 09:23:34 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{67069923-6A2D-436A-BDE7-8DA846A7F68F}
[2011/11/01 09:23:00 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{2B0DC11F-6C94-4E88-B5DF-7683C226911A}
[2011/10/31 18:56:35 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{8408C5CF-0A3A-493E-82D0-3DC2B0252B08}
[2011/10/30 04:54:04 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{3AF8CC55-3DCD-4877-98AF-8D65694C8CCB}
[2011/10/30 04:53:40 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{2CFB834B-9896-47DC-84E6-A96500905940}
[2011/10/29 09:28:04 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{A89FBDE9-211E-48BA-8658-705A2961D784}
[2011/10/29 09:27:42 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{7BA5AC1E-C1BD-4D7C-B4B8-794E11FFD5F3}
[2011/10/28 18:28:16 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{11D129B6-7BDA-446E-A2F0-BE105DC048A4}
[2011/10/28 18:27:42 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{A5CE609A-2C72-40E0-8B43-F1E11F163E9E}
[2011/10/28 08:31:55 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{DC148965-B01B-4530-BD15-233E6E7EE067}
[2011/10/27 21:29:57 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{5DEADAE7-1752-438C-956B-AD932BD54093}
[2011/10/27 09:27:32 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{136665D5-3438-4FE3-A392-673D1FB2B55D}
[2011/10/27 09:27:03 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{3EA9B427-5534-4E39-82BA-3F20495B2AEE}
[2011/10/26 09:56:22 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{1B8DE92F-72BB-4C40-8A8F-BC7FE057468D}
[2011/10/26 09:55:39 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{CCF2A741-EBBD-4EE0-8380-28471A39A375}
[2011/10/25 18:19:38 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{F03CB791-F3BC-4734-8C67-A6C771405282}
[2011/10/25 18:19:03 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{BBE6B90E-C13E-43F8-957D-47EEDE3E5F8F}
[2011/10/25 09:49:14 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{0BC65151-E65A-4BE6-AE93-B47C2A80BA01}
[2011/10/25 09:49:02 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{6AE80744-83DD-40F8-A3BF-9083FAA11BA5}
[2011/10/24 19:37:24 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{B5EA4D88-0678-4197-860D-5C7B68D3B43F}
[2011/10/23 15:28:14 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{69A3DBA5-A4A3-42FD-BAB8-E7EA54D6CD4E}
[2011/10/22 09:41:47 | 00,000,000 | ---D | C] -- C:\Users\cliff\AppData\Local\{985BA710-D0E6-4FC8-97D1-DB74319B9CDB}
[2011/10/18 15:12:04 | 00,000,000 | ---D | C] -- C:\Users\cliff\FrostWire
[2011/10/18 15:11:57 | 00,000,000 | ---D | C] -- C:\Users\cliff\.frostwire5
[2011/10/13 11:54:04 | 00,000,000 | ---D | C] -- C:\ProgramData\Affinegy
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2 C:\Users\cliff\AppData\Local\*.tmp files -> C:\Users\cliff\AppData\Local\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2011/11/05 00:55:17 | 06,553,600 | -HS- | M] () -- C:\Users\cliff\ntuser.dat
[2011/11/05 00:45:00 | 00,000,908 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2883493492-1982095606-3702794389-1000UA.job
[2011/11/05 00:04:31 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/11/04 23:55:06 | 00,044,544 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\agremove.exe
[2011/11/04 23:31:44 | 00,001,702 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Internet Security.lnk
[2011/11/04 23:31:43 | 00,100,864 | ---- | M] (GMER) -- C:\fgtdipow.sys
[2011/11/04 23:24:33 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/11/04 23:24:27 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/11/04 23:23:54 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/11/04 23:22:55 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2011/11/04 23:22:50 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/11/04 23:22:46 | 21,374,48448 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/04 23:22:05 | 00,524,288 | -HS- | M] () -- C:\Users\cliff\ntuser.dat{98f93032-5b56-11de-92b1-da968f19cc63}.TMContainer00000000000000000002.regtrans-ms
[2011/11/04 23:22:05 | 00,065,536 | -HS- | M] () -- C:\Users\cliff\ntuser.dat{98f93032-5b56-11de-92b1-da968f19cc63}.TM.blf
[2011/11/03 14:30:24 | 00,000,832 | ---- | M] () -- C:\Users\cliff\Desktop\Spotify.lnk
[2011/11/03 09:45:01 | 00,000,856 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2883493492-1982095606-3702794389-1000Core1cc0223f69c98ab.job
[2011/11/02 12:05:53 | 00,002,024 | ---- | M] () -- C:\Windows\MOBK.blk
[2011/11/02 12:05:53 | 00,000,802 | ---- | M] () -- C:\Windows\MOBK.flt
[2011/10/22 10:15:00 | 00,711,302 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2011/10/22 10:15:00 | 00,610,022 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/10/22 10:15:00 | 00,106,228 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/10/20 00:00:17 | 00,010,604 | ---- | M] () -- C:\Users\cliff\Documents\GeeksToGo.docx
[2011/10/19 23:50:20 | 00,000,847 | ---- | M] () -- C:\Users\cliff\Desktop\OTL (1).exe - Shortcut.lnk
[2011/10/18 15:11:47 | 00,001,037 | ---- | M] () -- C:\Users\cliff\Desktop\FrostWire 5.1.5.lnk
[2011/10/14 03:26:06 | 00,418,544 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2011/10/13 11:54:31 | 00,000,051 | ---- | M] () -- C:\Windows\System32\drivers\etc\lmhosts
[2011/10/12 11:02:56 | 00,000,958 | ---- | M] () -- C:\Users\Public\Desktop\HTC Sync.lnk
[2 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]
[2 C:\Users\cliff\AppData\Local\*.tmp files -> C:\Users\cliff\AppData\Local\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/04 23:22:46 | 21,374,48448 | -HS- | C] () -- C:\hiberfil.sys
[2011/11/03 14:30:24 | 00,000,832 | ---- | C] () -- C:\Users\cliff\Desktop\Spotify.lnk
[2011/10/20 00:00:15 | 00,010,604 | ---- | C] () -- C:\Users\cliff\Documents\GeeksToGo.docx
[2011/10/19 23:50:20 | 00,000,847 | ---- | C] () -- C:\Users\cliff\Desktop\OTL (1).exe - Shortcut.lnk
[2011/10/18 15:11:47 | 00,001,037 | ---- | C] () -- C:\Users\cliff\Desktop\FrostWire 5.1.5.lnk
[2011/10/12 11:02:56 | 00,000,958 | ---- | C] () -- C:\Users\Public\Desktop\HTC Sync.lnk
[2011/09/16 04:28:58 | 00,000,000 | ---- | C] () -- C:\Users\cliff\AppData\Local\{F1157D44-08CC-4725-AA0E-705D97D4602A}
[2011/09/16 04:26:58 | 00,000,000 | ---- | C] () -- C:\Users\cliff\AppData\Local\{2EEDD777-7511-4A3A-93B5-11B5BFA5C416}
[2011/09/16 04:22:45 | 00,000,000 | ---- | C] () -- C:\Users\cliff\AppData\Local\{0CC20129-1078-45AD-91EA-BFA396AFE21E}
[2011/06/14 11:48:03 | 00,000,000 | ---- | C] () -- C:\Windows\DbgOut.INI
[2010/09/18 06:56:27 | 00,002,578 | ---- | C] () -- C:\Users\cliff\AppData\Roaming\Rim.Desktop.Exception.log
[2010/09/16 16:50:54 | 00,001,602 | ---- | C] () -- C:\Users\cliff\AppData\Roaming\Rim.Desktop.HttpServerSetup.log
[2010/03/01 21:51:12 | 00,000,032 | ---- | C] () -- C:\Users\cliff\AppData\Local\xobni_installer_updater.log
[2010/03/01 15:13:21 | 00,005,864 | ---- | C] () -- C:\Users\cliff\AppData\Local\d3d9caps.dat
[2009/12/05 22:35:12 | 00,974,848 | ---- | C] () -- C:\Windows\System32\LtDlgRes14n.dll
[2009/12/03 15:07:42 | 00,000,110 | ---- | C] () -- C:\Windows\ULEAD32.INI
[2009/09/23 18:44:39 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/08/03 15:07:42 | 00,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/03/05 07:54:58 | 00,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2009/02/09 20:49:31 | 00,004,096 | -H-- | C] () -- C:\Users\cliff\AppData\Local\keyfile3.drm
[2009/01/17 19:33:36 | 00,007,250 | ---- | C] () -- C:\ProgramData\N360BUOptions.ini
[2009/01/17 19:30:37 | 00,000,067 | ---- | C] () -- C:\Windows\wininit.ini
[2008/11/08 21:01:03 | 00,029,184 | ---- | C] () -- C:\Users\cliff\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/07 13:51:29 | 00,119,314 | ---- | C] () -- C:\ProgramData\LUUnInstall.LiveUpdate
[2008/09/13 15:04:30 | 00,000,067 | ---- | C] () -- C:\Windows\swupdate.INI
[2008/08/07 09:59:37 | 00,000,013 | RHS- | C] () -- C:\Windows\System32\drivers\fbd.sys
[2008/08/07 09:59:35 | 00,000,004 | RHS- | C] () -- C:\Windows\System32\drivers\taishop.sys
[2008/02/20 14:16:48 | 00,204,800 | ---- | C] () -- C:\Windows\System32\IVIresizeW7.dll
[2008/02/20 14:16:48 | 00,200,704 | ---- | C] () -- C:\Windows\System32\IVIresizeA6.dll
[2008/02/20 14:16:48 | 00,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeP6.dll
[2008/02/20 14:16:48 | 00,192,512 | ---- | C] () -- C:\Windows\System32\IVIresizeM6.dll
[2008/02/20 14:16:48 | 00,188,416 | ---- | C] () -- C:\Windows\System32\IVIresizePX.dll
[2008/02/20 14:16:48 | 00,020,480 | ---- | C] () -- C:\Windows\System32\IVIresize.dll
[2008/02/18 21:43:23 | 00,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI
[2008/02/18 21:36:45 | 00,036,864 | ---- | C] () -- C:\Windows\System32\HWS_Ctrl.dll
[2008/02/18 21:33:34 | 00,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini
[2008/02/18 21:33:34 | 00,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll
[2008/02/18 21:33:34 | 00,010,150 | ---- | C] () -- C:\Windows\System32\tosmreg.ini
[2008/02/18 21:33:34 | 00,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini
[2007/12/21 19:46:32 | 00,118,784 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll
[2007/09/13 17:31:06 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1329.dll
[2007/09/13 17:22:46 | 01,238,832 | ---- | C] () -- C:\Windows\System32\igmedkrn.dll
[2007/09/13 17:22:46 | 00,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2007/09/13 17:11:18 | 00,249,856 | ---- | C] () -- C:\Windows\System32\igfxTMM.dll
[2006/11/02 07:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 02:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2005/11/23 17:55:42 | 00,024,576 | ---- | C] () -- C:\Windows\System32\SPCtl.dll
[2005/07/23 00:30:18 | 00,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll

========== LOP Check ==========

[2010/02/15 20:26:02 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\eMusic
[2009/12/20 01:30:08 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\F-Secure
[2011/10/18 15:10:29 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\FrostWire
[2008/10/06 10:18:47 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\GetRightToGo
[2009/04/27 18:43:10 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\gtk-2.0
[2011/10/12 11:04:30 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\HTC
[2011/04/17 22:48:09 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\HTC.388BC06ACDAB6261375BCE37FBA2E023C0D7EE34.1
[2009/04/28 23:52:48 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Jasc
[2009/12/16 01:31:21 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Opera
[2011/04/21 12:26:02 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Outlook
[2009/06/10 14:05:22 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Pogo Games
[2010/09/18 06:56:14 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Research In Motion
[2010/12/19 16:51:08 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Sammsoft
[2010/11/30 00:18:20 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Skip-Bo
[2011/11/04 23:25:23 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Spotify
[2011/04/21 12:18:02 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Teleca
[2008/10/12 12:28:03 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\TOSHIBA
[2010/03/01 22:03:13 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Trillian
[2011/03/07 01:33:08 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Ulead Systems
[2008/08/07 12:51:00 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\WildTangent
[2008/11/03 16:39:17 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\WinBatch
[2011/08/27 16:31:19 | 00,000,000 | ---D | M] -- C:\Users\cliff\AppData\Roaming\Windows Live Writer
[2011/11/04 20:36:08 | 00,032,570 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 76 bytes -> C:\Users\cliff\Documents\BFT MASS ADDS FAST AND FLAWLESS.txt:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\cliff\Documents\base flasher.gif:Roxio EMC Stream
@Alternate Data Stream - 76 bytes -> C:\Users\cliff\Documents\2008_Federal_Return.pdf:Roxio EMC Stream
@Alternate Data Stream - 203 bytes -> C:\ProgramData\TEMP:A73EAFFB
< End of report >



GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-05 00:54:13
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HTS542512K9SA00 rev.BB2OC33P
Running: 9lepvu8x.exe; Driver: C:\Users\cliff\AppData\Local\Temp\fgtdipow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x82E83268]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x82E83292]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x82E8327E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x82E83254]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82834982 5 Bytes JMP 82E83258 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 829FA143 5 Bytes JMP 82E83296 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 82A1989A 7 Bytes JMP 82E8326C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82A19B5D 5 Bytes JMP 82E83282 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x83759000, 0x4036D, 0xE8000020]
.dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x837A2000, 0x510, 0x40000040]
? C:\Users\cliff\AppData\Local\Temp\aswMBR.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[180] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 6D619A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[180] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 6D6199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\services.exe[700] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 000D0000
.text C:\Windows\system32\services.exe[700] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 000D0FD4
.text C:\Windows\system32\services.exe[700] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 000D0FE5
.text C:\Windows\system32\services.exe[700] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 000E008C
.text C:\Windows\system32\services.exe[700] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 000E0F50
.text C:\Windows\system32\services.exe[700] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 000E0F1A
.text C:\Windows\system32\services.exe[700] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 000E0F2B
.text C:\Windows\system32\services.exe[700] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 000E0F72
.text C:\Windows\system32\services.exe[700] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 000E000A
.text C:\Windows\system32\services.exe[700] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 000E0025
.text C:\Windows\system32\services.exe[700] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 000E007B
.text C:\Windows\system32\services.exe[700] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 000E0F8D
.text C:\Windows\system32\services.exe[700] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 000E0036
.text C:\Windows\system32\services.exe[700] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 000E0F9E
.text C:\Windows\system32\services.exe[700] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 000E0FAF
.text C:\Windows\system32\services.exe[700] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 000E0F61
.text C:\Windows\system32\services.exe[700] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 000E0F09
.text C:\Windows\system32\services.exe[700] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 000E0FD4
.text C:\Windows\system32\services.exe[700] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 000E0FEF
.text C:\Windows\system32\services.exe[700] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 000E00B1
.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00100F86
.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00100FA8
.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00100FEF
.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00100F97
.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00100F6B
.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00100FD4
.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 00100000
.text C:\Windows\system32\services.exe[700] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00100FB9
.text C:\Windows\system32\services.exe[700] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 000F0027
.text C:\Windows\system32\services.exe[700] msvcrt.dll!system 7604804B 5 Bytes JMP 000F0F9C
.text C:\Windows\system32\services.exe[700] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 000F0FC8
.text C:\Windows\system32\services.exe[700] msvcrt.dll!_open 7604D106 5 Bytes JMP 000F0FEF
.text C:\Windows\system32\services.exe[700] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 000F0FB7
.text C:\Windows\system32\services.exe[700] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 000F000C
.text C:\Windows\system32\services.exe[700] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00310FE5
.text C:\Windows\system32\lsass.exe[716] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00130FEF
.text C:\Windows\system32\lsass.exe[716] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 00130FD4
.text C:\Windows\system32\lsass.exe[716] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 0013000A
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 0014009D
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 00140F57
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 001400D3
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 00140F3C
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00140F83
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 0014001B
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 00140FCA
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 00140082
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 0014005B
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 00140FAF
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 00140F9E
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 00140036
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 00140F72
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 00140F21
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 0014000A
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 00140FEF
.text C:\Windows\system32\lsass.exe[716] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 001400B8
.text C:\Windows\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyExA 772D39AB 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00520FAF
.text C:\Windows\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00520051
.text C:\Windows\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00520000
.text C:\Windows\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00520FC0
.text C:\Windows\system32\lsass.exe[716] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00520F9E
.text C:\Windows\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00520036
.text C:\Windows\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 0052001B
.text C:\Windows\system32\lsass.exe[716] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00520FE5
.text C:\Windows\system32\lsass.exe[716] msvcrt.dll!_wsystem 76047F2F 1 Byte [E9]
.text C:\Windows\system32\lsass.exe[716] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 00150033
.text C:\Windows\system32\lsass.exe[716] msvcrt.dll!system 7604804B 5 Bytes JMP 00150022
.text C:\Windows\system32\lsass.exe[716] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 00150000
.text C:\Windows\system32\lsass.exe[716] msvcrt.dll!_open 7604D106 5 Bytes JMP 00150FEF
.text C:\Windows\system32\lsass.exe[716] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 00150011
.text C:\Windows\system32\lsass.exe[716] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 00150FD2
.text C:\Windows\system32\lsass.exe[716] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00530FEF
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00140000
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 0014001B
.text C:\Windows\system32\svchost.exe[916] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 00140FE5
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 00190F4B
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 00190091
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 001900BD
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 001900AC
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00190F88
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 00190025
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 00190FD4
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 00190F66
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 00190062
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 00190051
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 00190FAF
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 00190040
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 00190F77
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 00190F0B
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 00190FE5
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 0019000A
.text C:\Windows\system32\svchost.exe[916] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 00190F30
.text C:\Windows\system32\svchost.exe[916] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 001A0FC8
.text C:\Windows\system32\svchost.exe[916] msvcrt.dll!system 7604804B 5 Bytes JMP 001A0053
.text C:\Windows\system32\svchost.exe[916] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 001A002E
.text C:\Windows\system32\svchost.exe[916] msvcrt.dll!_open 7604D106 5 Bytes JMP 001A000C
.text C:\Windows\system32\svchost.exe[916] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 001A0FE3
.text C:\Windows\system32\svchost.exe[916] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 001A001D
.text C:\Windows\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 001F0F5E
.text C:\Windows\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 001F0F9E
.text C:\Windows\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 001F0F79
.text C:\Windows\system32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 001F001B
.text C:\Windows\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 001F000A
.text C:\Windows\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 001F0FD4
.text C:\Windows\system32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 001F0FAF
.text C:\Windows\system32\svchost.exe[916] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00200FEF
.text C:\Windows\system32\svchost.exe[1008] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00750000
.text C:\Windows\system32\svchost.exe[1008] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 00750FDE
.text C:\Windows\system32\svchost.exe[1008] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 00750FEF
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 00760F50
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 00760F61
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 00760F06
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 00760F2B
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00760F97
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 00760025
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 00760040
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 00760F72
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 00760FA8
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 00760FD4
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 00760FC3
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 0076005B
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 0076008C
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 00760EF5
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 0076000A
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 00760FEF
.text C:\Windows\system32\svchost.exe[1008] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 007600A7
.text C:\Windows\system32\svchost.exe[1008] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 00770067
.text C:\Windows\system32\svchost.exe[1008] msvcrt.dll!system 7604804B 5 Bytes JMP 00770042
.text C:\Windows\system32\svchost.exe[1008] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 00770FD2
.text C:\Windows\system32\svchost.exe[1008] msvcrt.dll!_open 7604D106 5 Bytes JMP 00770FEF
.text C:\Windows\system32\svchost.exe[1008] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 00770031
.text C:\Windows\system32\svchost.exe[1008] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 0077000C
.text C:\Windows\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 0078006F
.text C:\Windows\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00780FCD
.text C:\Windows\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 0078000A
.text C:\Windows\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 0078005E
.text C:\Windows\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00780080
.text C:\Windows\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00780FEF
.text C:\Windows\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 00780025
.text C:\Windows\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00780FDE
.text C:\Windows\system32\svchost.exe[1008] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00790000
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00830000
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 0083001B
.text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 00830FEF
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 008A0F77
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 008A0F88
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 008A0F55
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 008A00EC
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 008A0087
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 008A001B
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 008A0FCA
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 008A00A9
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 008A0FB9
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 008A005B
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 008A0076
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 008A0036
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 008A0098
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 008A0107
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 008A0FE5
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 008A0000
.text C:\Windows\System32\svchost.exe[1040] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 008A0F66
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 008B004E
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!system 7604804B 5 Bytes JMP 008B003D
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 008B0022
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_open 7604D106 5 Bytes JMP 008B0000
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 008B0FCD
.text C:\Windows\System32\svchost.exe[1040] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 008B0011
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00910F94
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00910FC0
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00910FEF
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00910FAF
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00910F83
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00910025
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 0091000A
.text C:\Windows\System32\svchost.exe[1040] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00910036
.text C:\Windows\System32\svchost.exe[1040] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00DF0000
.text C:\Windows\System32\svchost.exe[1040] WININET.dll!InternetOpenA 76F14E33 5 Bytes JMP 008C0FEF
.text C:\Windows\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlA 76F1BFCE 5 Bytes JMP 008C0025
.text C:\Windows\System32\svchost.exe[1040] WININET.dll!InternetOpenW 76F4C02E 5 Bytes JMP 008C000A
.text C:\Windows\System32\svchost.exe[1040] WININET.dll!InternetOpenUrlW 76F7D70A 5 Bytes JMP 008C0040
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 0091000A
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 00910FE5
.text C:\Windows\System32\svchost.exe[1108] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 0091001B
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 00A300A4
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 00A30093
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 00A30F28
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 00A300B5
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00A30F83
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 00A3000A
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 00A30025
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 00A30078
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 00A30F94
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 00A30040
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 00A30051
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 00A30FB9
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 00A30F72
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 00A30F17
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 00A30FD4
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 00A30FEF
.text C:\Windows\System32\svchost.exe[1108] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 00A30F43
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 00F10F92
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!system 7604804B 5 Bytes JMP 00F1001D
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 00F10FC1
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_open 7604D106 5 Bytes JMP 00F10FE3
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 00F1000C
.text C:\Windows\System32\svchost.exe[1108] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 00F10FD2
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00F20040
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00F20FB9
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00F20FEF
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00F20FA8
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00F20F8D
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00F20025
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 00F2000A
.text C:\Windows\System32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00F20FD4
.text C:\Windows\System32\svchost.exe[1108] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00F30FEF
.text C:\Windows\System32\svchost.exe[1200] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 01710000
.text C:\Windows\System32\svchost.exe[1200] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 0171002C
.text C:\Windows\System32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 01710011
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 01720091
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 01720F4B
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 01720F04
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 01720F15
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 0172005B
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 01720FCA
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 0172001B
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 01720076
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 01720F77
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 01720040
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 01720F9E
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 01720FB9
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 01720F66
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 017200AC
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 01720000
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 01720FE5
.text C:\Windows\System32\svchost.exe[1200] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 01720F30
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 017C0F9C
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!system 7604804B 5 Bytes JMP 017C0FB7
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 017C0FD9
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_open 7604D106 5 Bytes JMP 017C0000
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 017C0FC8
.text C:\Windows\System32\svchost.exe[1200] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 017C001D
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 017D0FDE
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 017D0FEF
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 017D0000
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 017D0076
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 017D0FC3
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 017D0040
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 017D001B
.text C:\Windows\System32\svchost.exe[1200] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 017D0051
.text C:\Windows\System32\svchost.exe[1200] WS2_32.dll!socket 776D36D1 5 Bytes JMP 0182000A
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 01270FEF
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 01270FCA
.text C:\Windows\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 0127000A
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 020800AF
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 0208009E
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 020800DB
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 020800C0
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 02080072
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 02080FD1
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 02080022
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 0208008D
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 02080055
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 02080044
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 02080F98
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 02080033
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 02080F87
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 020800F6
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 02080011
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 02080000
.text C:\Windows\system32\svchost.exe[1216] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 02080F4E
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 02090042
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!system 7604804B 5 Bytes JMP 02090FC1
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 0209000C
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_open 7604D106 5 Bytes JMP 02090FEF
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 02090027
.text C:\Windows\system32\svchost.exe[1216] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 02090FD2
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 020E005B
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 020E002F
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 020E0FEF
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 020E004A
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 020E0076
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 020E0FB9
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 020E0FD4
.text C:\Windows\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 020E000A
.text C:\Windows\system32\svchost.exe[1216] WS2_32.dll!socket 776D36D1 5 Bytes JMP 020F0FEF
.text C:\Windows\system32\svchost.exe[1216] WININET.dll!InternetOpenA 76F14E33 5 Bytes JMP 02260FEF
.text C:\Windows\system32\svchost.exe[1216] WININET.dll!InternetOpenUrlA 76F1BFCE 5 Bytes JMP 02260025
.text C:\Windows\system32\svchost.exe[1216] WININET.dll!InternetOpenW 76F4C02E 5 Bytes JMP 0226000A
.text C:\Windows\system32\svchost.exe[1216] WININET.dll!InternetOpenUrlW 76F7D70A 5 Bytes JMP 02260040
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00150000
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 00150FCA
.text C:\Windows\system32\svchost.exe[1308] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 00150FE5
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 00160F81
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 001600C7
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 00160F55
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 001600E2
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00160FAD
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 0016001B
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 00160036
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 001600B6
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 00160091
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 00160076
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 00160FD4
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 0016005B
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 00160F9C
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 00160111
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateFileW 75EBB0EB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 00160FEF
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 00160000
.text C:\Windows\system32\svchost.exe[1308] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 00160F66
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 00390FA1
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!system 7604804B 5 Bytes JMP 00390FB2
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 00390FCD
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_open 7604D106 5 Bytes JMP 00390FEF
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 00390018
.text C:\Windows\system32\svchost.exe[1308] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 00390FDE
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00820F83
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00820FA8
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00820FEF
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00820025
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00820F72
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00820014
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 00820FDE
.text C:\Windows\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00820FC3
.text C:\Windows\system32\svchost.exe[1308] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00830FEF
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00080000
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 0008002C
.text C:\Windows\system32\svchost.exe[1364] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 00080011
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 00D30073
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 00D30062
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 00D30095
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 00D30084
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00D30F6D
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 00D30FD4
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 00D30025
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 00D30F37
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 00D30047
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 00D30F9E
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 00D30036
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 00D30FB9
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 00D30F52
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 00D300A6
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 00D3000A
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 00D30FEF
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 00D30F12
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 00D40FAD
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!system 7604804B 5 Bytes JMP 00D40FBE
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 00D40FE3
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_open 7604D106 5 Bytes JMP 00D40000
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 00D40038
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 00D4001D
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00DE0F87
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00DE0033
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00DE0000
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00DE0FA2
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00DE0F76
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00DE0FD1
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 00DE0011
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00DE0022
.text C:\Windows\system32\svchost.exe[1364] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00DF000A
.text C:\Windows\system32\svchost.exe[1364] WININET.dll!InternetOpenA 76F14E33 5 Bytes JMP 00D90000
.text C:\Windows\system32\svchost.exe[1364] WININET.dll!InternetOpenUrlA 76F1BFCE 5 Bytes JMP 00D90FC0
.text C:\Windows\system32\svchost.exe[1364] WININET.dll!InternetOpenW 76F4C02E 5 Bytes JMP 00D90FE5
.text C:\Windows\system32\svchost.exe[1364] WININET.dll!InternetOpenUrlW 76F7D70A 5 Bytes JMP 00D90011
.text C:\Windows\system32\svchost.exe[1504] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00160000
.text C:\Windows\system32\svchost.exe[1504] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 00160FC0
.text C:\Windows\system32\svchost.exe[1504] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 00160FDB
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 001800DA
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 001800BF
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 00180F6F
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 001800FC
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00180F9E
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 0018001B
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 00180036
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 001800AE
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 00180FAF
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 0018005B
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 0018006C
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 00180FCA
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 00180093
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 00180F5E
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 00180FE5
.text C:\Windows\system32\svchost.exe[1504] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 001800EB
.text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 00190FB9
.text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!system 7604804B 5 Bytes JMP 00190044
.text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 00190029
.text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_open 7604D106 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 00190FDE
.text C:\Windows\system32\svchost.exe[1504] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 00190018
.text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00DD0047
.text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00DD001B
.text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00DD0FE5
.text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00DD0036
.text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00DD0058
.text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00DD0FB9
.text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 00DD0FCA
.text C:\Windows\system32\svchost.exe[1504] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00DD0000
.text C:\Windows\system32\svchost.exe[1504] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00DE0000
.text C:\Windows\system32\svchost.exe[1732] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00280FEF
.text C:\Windows\system32\svchost.exe[1732] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 00280FD4
.text C:\Windows\system32\svchost.exe[1732] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 0028000A
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 0029006E
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 00290053
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 0029009A
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 00290F03
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00290F4D
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 00290FD4
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 00290FB9
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 00290F28
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 00290F5E
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 00290F8A
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 00290F79
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 0029001B
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 00290042
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 002900B5
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!CreateFileW 75EBB0EB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 00290FEF
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 0029000A
.text C:\Windows\system32\svchost.exe[1732] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 0029007F
.text C:\Windows\system32\svchost.exe[1732] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 00820F89
.text C:\Windows\system32\svchost.exe[1732] msvcrt.dll!system 7604804B 5 Bytes JMP 00820F9A
.text C:\Windows\system32\svchost.exe[1732] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 00820000
.text C:\Windows\system32\svchost.exe[1732] msvcrt.dll!_open 7604D106 5 Bytes JMP 00820FE3
.text C:\Windows\system32\svchost.exe[1732] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 00820FAB
.text C:\Windows\system32\svchost.exe[1732] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 00820FC6
.text C:\Windows\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExA 772D39AB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00830FAF
.text C:\Windows\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00830051
.text C:\Windows\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00830FE5
.text C:\Windows\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00830FC0
.text C:\Windows\system32\svchost.exe[1732] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 0083006C
.text C:\Windows\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 0083001B
.text C:\Windows\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 0083000A
.text C:\Windows\system32\svchost.exe[1732] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00830036
.text C:\Windows\system32\svchost.exe[1732] WS2_32.dll!socket 776D36D1 5 Bytes JMP 0089000A
.text C:\Windows\system32\svchost.exe[1912] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 000B000A
.text C:\Windows\system32\svchost.exe[1912] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 000B0036
.text C:\Windows\system32\svchost.exe[1912] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 000B001B
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 005E0F4B
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 005E009B
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 005E00B6
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 005E0F1F
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 005E0F77
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 005E0000
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 005E0011
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 005E0076
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 005E0051
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 005E0F9E
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 005E0040
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 005E0FAF
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 005E0F66
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 005E0EFA
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 005E0FD4
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 005E0FE5
.text C:\Windows\system32\svchost.exe[1912] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 005E0F3A
.text C:\Windows\system32\svchost.exe[1912] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 00640042
.text C:\Windows\system32\svchost.exe[1912] msvcrt.dll!system 7604804B 5 Bytes JMP 00640031
.text C:\Windows\system32\svchost.exe[1912] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 00640FD2
.text C:\Windows\system32\svchost.exe[1912] msvcrt.dll!_open 7604D106 5 Bytes JMP 0064000C
.text C:\Windows\system32\svchost.exe[1912] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 00640FC1
.text C:\Windows\system32\svchost.exe[1912] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 00640FEF
.text C:\Windows\system32\svchost.exe[1912] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00650F9E
.text C:\Windows\system32\svchost.exe[1912] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00650025
.text C:\Windows\system32\svchost.exe[1912] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00650FEF
.text C:\Windows\system32\svchost.exe[1912] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00650036
.text C:\Windows\system32\svchost.exe[1912] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00650F8D
.text C:\Windows\system32\svchost.exe[1912] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00650FC3
.text C:\Windows\system32\svchost.exe[1912] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 00650FD4
.text C:\Windows\system32\svchost.exe[1912] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00650014
.text C:\Windows\system32\svchost.exe[1912] WS2_32.dll!socket 776D36D1 5 Bytes JMP 0066000A
.text C:\Windows\system32\svchost.exe[2052] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 008D0FEF
.text C:\Windows\system32\svchost.exe[2052] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 008D000A
.text C:\Windows\system32\svchost.exe[2052] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 008D0FD4
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 008E0F50
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 008E0F61
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 008E0F10
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 008E00B1
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 008E0FA8
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 008E0FD4
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 008E0025
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 008E0F72
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 008E0082
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 008E005B
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 008E0FB9
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 008E0040
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 008E0F83
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 008E0EFF
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!CreateFileW 75EBB0EB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 008E0FEF
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 008E0000
.text C:\Windows\system32\svchost.exe[2052] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 008E0F35
.text C:\Windows\system32\svchost.exe[2052] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 008F0022
.text C:\Windows\system32\svchost.exe[2052] msvcrt.dll!system 7604804B 5 Bytes JMP 008F0F97
.text C:\Windows\system32\svchost.exe[2052] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 008F0011
.text C:\Windows\system32\svchost.exe[2052] msvcrt.dll!_open 7604D106 5 Bytes JMP 008F0000
.text C:\Windows\system32\svchost.exe[2052] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 008F0FB2
.text C:\Windows\system32\svchost.exe[2052] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 008F0FE3
.text C:\Windows\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00900040
.text C:\Windows\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00900FAF
.text C:\Windows\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00900FEF
.text C:\Windows\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00900F9E
.text C:\Windows\system32\svchost.exe[2052] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00900051
.text C:\Windows\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 0090001B
.text C:\Windows\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 0090000A
.text C:\Windows\system32\svchost.exe[2052] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00900FC0
.text C:\Windows\system32\svchost.exe[2052] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00910FEF
.text C:\Windows\System32\svchost.exe[2324] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00050FE5
.text C:\Windows\System32\svchost.exe[2324] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 00050011
.text C:\Windows\System32\svchost.exe[2324] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 00070F8B
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 000700C7
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 00070F55
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 000700F6
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00070FB7
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 0007004A
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 00070F9C
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 00070091
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 00070065
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 00070080
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 00070FDE
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 000700AC
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 00070107
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 00070025
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 0007000A
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 00070F7A
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 00080F9E
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!system 7604804B 5 Bytes JMP 00080FB9
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 00080FDE
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_open 7604D106 5 Bytes JMP 00080FEF
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 00080029
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 0008000C
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 00090FA8
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 00090FB9
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 00090FE5
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 00090040
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 00090F8D
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 00090FD4
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 0009000A
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 00090025
.text C:\Windows\System32\svchost.exe[2324] WS2_32.dll!socket 776D36D1 5 Bytes JMP 00200000
.text C:\Windows\Explorer.EXE[3224] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00C40FE5
.text C:\Windows\Explorer.EXE[3224] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 00C4001B
.text C:\Windows\Explorer.EXE[3224] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 00C4000A
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 063E00E1
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 063E00D0
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 063E0117
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 063E00F2
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 063E009A
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 063E001B
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 063E002C
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 063E0F9B
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 063E0FC0
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 063E0058
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 063E0073
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 063E0047
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 063E00B5
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 063E0132
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 063E0000
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 063E0FE5
.text C:\Windows\Explorer.EXE[3224] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 063E0F80
.text C:\Windows\Explorer.EXE[3224] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 0641005B
.text C:\Windows\Explorer.EXE[3224] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 06410FCD
.text C:\Windows\Explorer.EXE[3224] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 06410FEF
.text C:\Windows\Explorer.EXE[3224] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 0641004A
.text C:\Windows\Explorer.EXE[3224] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 06410F94
.text C:\Windows\Explorer.EXE[3224] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 06410FDE
.text C:\Windows\Explorer.EXE[3224] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 0641000A
.text C:\Windows\Explorer.EXE[3224] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 06410039
.text C:\Windows\Explorer.EXE[3224] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 063F0042
.text C:\Windows\Explorer.EXE[3224] msvcrt.dll!system 7604804B 5 Bytes JMP 063F0031
.text C:\Windows\Explorer.EXE[3224] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 063F0016
.text C:\Windows\Explorer.EXE[3224] msvcrt.dll!_open 7604D106 5 Bytes JMP 063F0FEF
.text C:\Windows\Explorer.EXE[3224] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 063F0FC1
.text C:\Windows\Explorer.EXE[3224] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 063F0FD2
.text C:\Windows\Explorer.EXE[3224] WS2_32.dll!socket 776D36D1 5 Bytes JMP 06420FEF
.text C:\Windows\Explorer.EXE[3224] WININET.dll!InternetOpenA 76F14E33 5 Bytes JMP 06400000
.text C:\Windows\Explorer.EXE[3224] WININET.dll!InternetOpenUrlA 76F1BFCE 5 Bytes JMP 06400FCA
.text C:\Windows\Explorer.EXE[3224] WININET.dll!InternetOpenW 76F4C02E 5 Bytes JMP 06400FE5
.text C:\Windows\Explorer.EXE[3224] WININET.dll!InternetOpenUrlW 76F7D70A 5 Bytes JMP 06400FAF
.text C:\Windows\system32\svchost.exe[5676] ntdll.dll!NtCreateFile 77604224 5 Bytes JMP 00170FEF
.text C:\Windows\system32\svchost.exe[5676] ntdll.dll!NtCreateProcess 776042E4 5 Bytes JMP 00170FCA
.text C:\Windows\system32\svchost.exe[5676] ntdll.dll!NtProtectVirtualMemory 77604B84 5 Bytes JMP 00170000
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!GetStartupInfoW 75E71929 5 Bytes JMP 00180F0D
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!GetStartupInfoA 75E719C9 5 Bytes JMP 00180F28
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!CreateProcessW 75E71BF3 5 Bytes JMP 00180EDE
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!CreateProcessA 75E71C28 5 Bytes JMP 00180075
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!VirtualProtect 75E71DC3 5 Bytes JMP 00180F54
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!CreateNamedPipeA 75E72EF5 5 Bytes JMP 00180011
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!CreateNamedPipeW 75E75C0C 5 Bytes JMP 00180022
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!CreatePipe 75E98F06 5 Bytes JMP 00180053
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!LoadLibraryExW 75E9927C 5 Bytes JMP 00180F65
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!LoadLibraryW 75E99400 5 Bytes JMP 00180F91
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!LoadLibraryExA 75E99554 5 Bytes JMP 00180F80
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!LoadLibraryA 75E9957C 5 Bytes JMP 00180FB6
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!VirtualProtectEx 75E9DC52 5 Bytes JMP 00180F43
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!GetProcAddress 75EB925B 5 Bytes JMP 00180086
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!CreateFileW 75EBB0EB 5 Bytes JMP 00180FDB
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!CreateFileA 75EBD07F 5 Bytes JMP 00180000
.text C:\Windows\system32\svchost.exe[5676] kernel32.dll!WinExec 75F060CF 5 Bytes JMP 00180064
.text C:\Windows\system32\svchost.exe[5676] msvcrt.dll!_wsystem 76047F2F 5 Bytes JMP 006A0070
.text C:\Windows\system32\svchost.exe[5676] msvcrt.dll!system 7604804B 5 Bytes JMP 006A0055
.text C:\Windows\system32\svchost.exe[5676] msvcrt.dll!_creat 7604BBE1 5 Bytes JMP 006A0FEF
.text C:\Windows\system32\svchost.exe[5676] msvcrt.dll!_open 7604D106 5 Bytes JMP 006A0000
.text C:\Windows\system32\svchost.exe[5676] msvcrt.dll!_wcreat 7604D326 5 Bytes JMP 006A0044
.text C:\Windows\system32\svchost.exe[5676] msvcrt.dll!_wopen 7604D501 5 Bytes JMP 006A0029
.text C:\Windows\system32\svchost.exe[5676] ADVAPI32.dll!RegCreateKeyExA 772D39AB 5 Bytes JMP 007D0F86
.text C:\Windows\system32\svchost.exe[5676] ADVAPI32.dll!RegCreateKeyA 772D3BA9 5 Bytes JMP 007D0FB2
.text C:\Windows\system32\svchost.exe[5676] ADVAPI32.dll!RegOpenKeyA 772D89C7 5 Bytes JMP 007D0FEF
.text C:\Windows\system32\svchost.exe[5676] ADVAPI32.dll!RegCreateKeyW 772E391E 5 Bytes JMP 007D0F97
.text C:\Windows\system32\svchost.exe[5676] ADVAPI32.dll!RegCreateKeyExW 772E41F1 5 Bytes JMP 007D0F6B
.text C:\Windows\system32\svchost.exe[5676] ADVAPI32.dll!RegOpenKeyExA 772E7C42 5 Bytes JMP 007D0FC3
.text C:\Windows\system32\svchost.exe[5676] ADVAPI32.dll!RegOpenKeyW 772EE2B5 5 Bytes JMP 007D0FDE
.text C:\Windows\system32\svchost.exe[5676] ADVAPI32.dll!RegOpenKeyExW 772F7BA1 5 Bytes JMP 007D001E
.text C:\Windows\system32\svchost.exe[5676] WS2_32.dll!socket 776D36D1 5 Bytes JMP 007E000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\mfevtps.exe[604] @ C:\Windows\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [0100A4B0] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\system32\mfevtps.exe[604] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0100A510] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73877817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [738CA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7387BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7386F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [738775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7386E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [738A8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7387DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7386FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7386FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [738671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [738FCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7389C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7386D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73866853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7386687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73872AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [613473FB] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6134732D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61346BCD] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6134736D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [613473FB] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6134732D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6134736D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61346BCD] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [61345FBC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6134736D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [613473FB] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6134732D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61346BCD] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61345FBC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61345EF7] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [613467E4] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [613467E4] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [613473FB] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61346BCD] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6134736D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6134732D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61345FBC] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61345E64] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61345E26] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61345FC2] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [61345EF7] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [613467E4] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61346057] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!CreateFileA] [61346142] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!CreateFileW] [6134609C] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!LoadLibraryA] [6134732D] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll
IAT C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe[4824] @ C:\Windows\system32\SAMLIB.dll [KERNEL32.dll!GetProcAddress] [61346BCD] C:\PROGRA~1\Yahoo!\MESSEN~1\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-11-05 01:00:49
-----------------------------
01:00:49.614 OS Version: Windows 6.0.6002 Service Pack 2
01:00:49.614 Number of processors: 1 586 0x1601
01:00:49.616 ComputerName: HOME UserName:
01:00:50.720 Initialize success
01:00:58.033 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4
01:00:58.035 Disk 0 Vendor: Hitachi_HTS542512K9SA00 BB2OC33P Size: 114473MB BusType: 3
01:01:00.337 Disk 0 MBR read successfully
01:01:00.343 Disk 0 MBR scan
01:01:00.346 Disk 0 Windows VISTA default MBR code
01:01:00.429 Disk 0 scanning sectors +234440704
01:01:00.637 Disk 0 scanning C:\Windows\system32\drivers
01:01:34.715 Service scanning
01:01:36.651 Modules scanning
01:02:21.337 Disk 0 trace - called modules:
01:02:21.380 ntkrnlpa.exe CLASSPNP.SYS disk.sys ataport.SYS hal.dll PCIIDEX.SYS msahci.sys
01:02:21.384 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85dcdac8]
01:02:21.388 3 CLASSPNP.SYS[835798b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x857da390]
01:02:21.393 Scan finished successfully
01:02:32.858 Disk 0 MBR has been saved successfully to "C:\Users\cliff\Downloads\MBR.dat"
01:02:32.886 The log file has been saved successfully to "C:\Users\cliff\Downloads\aswMBR.txt"
  • 0

#5
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
That Extras.txt log was mostly to check installed programs, though it isn't always created on some Vista and Win 7 systems. Not sure why though. This is curious - an early bootup setting, with duplicate listings and a suggestion of some action related to the C drive:

O34 - HKLM BootExecute: (autocheck autochk /p \??\C:) - File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

Have you scheduled a Check Disk startup scan recently (type chkdsk /r at a command window prompt, as example)? Gmer shows a very busy bunch of "hooks" with the running processes there, but those could be McAfee. One reason it tends to slow systems down so bad. Have to see on that though.

Some adware/spyware/search hijackers showing as installed there, so let's act on those, then run an aggressive repair-type scan after.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Go to Start - Control Panel - Programs - Programs and Features, then click on each of the following programs, if they show there, and click "Uninstall/Change".

Gamers Unite! Snag Bar
SweetIM Toolbar (SweetIM itself seems to use methods not with the user's best interests at heart)
Ask Toolbar
Zynga Toolbar (amazing - an adware vendor now is the main Facebook game vendor)
Mafia Mofo Tools Community Toolbar (may only be loading in Firefox, and not show as an uninstall option)

I am not sure this uninstalls, but just know it is not to be relied on for anything, so not helpful or useful:

McAfee SiteAdvisor Toolbar

Click the "View Community Reviews" here, where McAfee shows the major adware vendor, Freeze.com (also W3i) as "green.

------------

In Firefox, go to Tools - Add-ons, and uninstall any of the above programs that show there.

-----------

Download ComboFix.exe from here to your desktop, then click that to run that scan. Agree to any warnings you might receive.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.
  • 0

#6
dantemic1

dantemic1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Just a quick question before I go to work but can you tell if I got hacked cause I am pretty [bleep] sure I got hacked last night. I was searching the word cajones so I could spell it right and when I would press enter it would go to water as my search and then I was just having trouble with the volume on my comp, I would try to turn it down but it would only go up not to mention I am lagging like a mofo which never happened that bad before. Any way you can see if I got hacked for sure? I will be available to do the scans monday night after work......Just curious if there is a scanner that can tell if you were hacked...
  • 0

#7
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Instead of "hacker" which really is a rare event, consider malware, which by it's nature "hacks", and just about anything. Search issues suggest rootkit/bootkit. Like I said, there are a lot of Gmer "hacks" (let's say), but they could be McAfee. Difficult to tell when McAfee is involved. But let's see what all is there, and start some repairs.
  • 0

#8
dantemic1

dantemic1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Just wanted to let you know that I will be doing the scan later on today sometime. Thought to tell you so you didn't think I was just not doing it. I was out of town the last couple days.
  • 0

#9
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Thanks for the update. Just post when ready.
  • 0

#10
dantemic1

dantemic1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I did the scan and it said it saved the log but when I went to look for it I couldn't find it. I would of just posted the log right when it popped up but my internet went out and I had to restart my laptop. I guess I will have to do the scan again tomorrow and post the new log even though it will not show you the files and folders it deleted on the first post. :)
  • 0

Advertisements


#11
dantemic1

dantemic1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Here is the log from the 2nd time I ran the log....

ComboFix 11-11-09.02 - cliff 11/09/2011 14:35:41.2.1 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.1210 [GMT -6:00]
Running from: c:\users\cliff\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\cliff\AppData\Local\Temp\1.tmp\F_IN_BOX.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-10-09 to 2011-11-09 )))))))))))))))))))))))))))))))
.
.
2011-11-09 20:57 . 2011-11-09 20:57 0 ---ha-w- c:\users\cliff\AppData\Local\BITCDF8.tmp
2011-11-09 20:54 . 2011-11-09 20:54 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-11-09 20:54 . 2011-11-09 20:54 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-11-09 20:51 . 2011-11-09 20:56 -------- d-----w- c:\users\cliff\AppData\Local\temp
2011-11-09 20:51 . 2011-11-09 20:51 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-11-09 20:51 . 2011-11-09 20:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-11-09 05:02 . 2011-09-30 15:57 707584 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-09 05:02 . 2011-10-17 11:41 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-11-09 05:02 . 2011-09-20 21:02 905088 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-05 04:31 . 2011-11-05 04:31 100864 ----a-w- C:\fgtdipow.sys
2011-11-04 08:58 . 2011-11-04 08:58 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\Xobni
2011-11-03 19:30 . 2011-11-03 19:35 -------- d-----w- c:\users\cliff\AppData\Local\Spotify
2011-11-03 19:30 . 2011-11-09 16:59 -------- d-----w- c:\users\cliff\AppData\Roaming\Spotify
2011-10-18 20:12 . 2011-10-18 20:13 -------- d-----w- c:\users\cliff\FrostWire
2011-10-18 20:11 . 2011-11-06 13:37 -------- d-----w- c:\users\cliff\.frostwire5
2011-10-18 20:11 . 2011-10-18 20:19 -------- d-----w- c:\program files\FrostWire 5
2011-10-17 17:05 . 2011-10-17 17:05 0 ---ha-w- c:\users\cliff\AppData\Local\BIT1D40.tmp
2011-10-13 17:03 . 2011-08-25 16:14 238080 ----a-w- c:\windows\system32\oleacc.dll
2011-10-13 17:03 . 2011-08-25 16:15 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2011-10-13 17:03 . 2011-08-25 16:14 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-10-13 17:03 . 2011-08-25 13:31 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2011-10-13 17:03 . 2011-07-29 16:01 293376 ----a-w- c:\windows\system32\psisdecd.dll
2011-10-13 17:02 . 2011-07-29 16:01 217088 ----a-w- c:\windows\system32\psisrndr.ax
2011-10-13 17:02 . 2011-07-29 16:00 69632 ----a-w- c:\windows\system32\Mpeg2Data.ax
2011-10-13 17:02 . 2011-07-29 16:00 57856 ----a-w- c:\windows\system32\MSDvbNP.ax
2011-10-13 17:02 . 2011-09-06 13:30 2043392 ----a-w- c:\windows\system32\win32k.sys
2011-10-13 16:54 . 2011-10-13 16:54 -------- d-----w- c:\programdata\Affinegy
2011-10-13 16:54 . 2011-10-13 16:54 -------- d-----w- c:\program files\Belkin
2011-10-12 16:04 . 2011-11-09 16:57 -------- d-----w- c:\users\cliff\AppData\Local\Htc
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-09 20:54 . 2011-11-09 20:54 56200 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7E88D7EC-3A28-4055-B644-2D3054474595}\offreg.dll
2011-11-09 16:12 . 2010-01-07 00:33 44544 ----a-w- c:\windows\system32\agremove.exe
2011-10-07 03:48 . 2011-11-08 20:59 6668624 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{7E88D7EC-3A28-4055-B644-2D3054474595}\mpengine.dll
2011-10-03 11:06 . 2010-05-20 23:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-09-16 09:28 . 2011-09-16 09:28 0 ---ha-w- c:\users\cliff\AppData\Local\BITE780.tmp
2011-08-31 22:00 . 2009-02-26 00:21 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-19 20:59 . 2011-01-02 23:11 148520 ----a-w- c:\windows\system32\mfevtps.exe
2011-08-15 15:00 . 2011-09-16 04:21 338040 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2011-08-15 15:00 . 2011-01-03 00:23 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2011-08-15 15:00 . 2011-01-03 00:21 87808 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2011-08-15 15:00 . 2011-01-03 00:21 64712 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
2011-08-15 15:00 . 2011-01-03 00:21 59288 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2011-08-15 15:00 . 2011-01-03 00:21 57432 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-08-15 15:00 . 2011-01-03 00:21 180072 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2011-08-15 15:00 . 2011-01-03 00:21 164776 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
2011-08-15 15:00 . 2010-10-14 04:28 461864 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2011-08-15 15:00 . 2010-10-14 04:28 119808 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2011-04-30 17:55 . 2011-04-19 14:17 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2011-01-03 00:23 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((( [email protected]_04.27.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-11-09 05:02 . 2011-09-30 16:03 41984 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.0.6002.22722_none_577fedfa601b69cd\wabimp.dll
+ 2006-11-02 08:48 . 2006-11-02 09:46 41984 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.0.6002.18521_none_56f54eff46feb385\wabimp.dll
+ 2011-11-09 05:02 . 2011-09-20 13:44 31232 c:\windows\winsxs\x86_microsoft-windows-l..istry-support-tcpip_31bf3856ad364e35_6.0.6002.22719_none_888b887e1bb0d5d9\tcpipreg.sys
+ 2008-01-21 01:58 . 2011-11-09 20:56 55876 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2011-11-09 20:57 67060 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-07 15:31 . 2011-11-09 20:57 11470 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2883493492-1982095606-3702794389-1000_UserData.bin
+ 2009-06-17 16:06 . 2011-11-09 20:55 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-17 16:06 . 2011-11-09 04:25 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-17 16:06 . 2011-11-09 20:55 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-17 16:06 . 2011-11-09 04:25 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-17 16:06 . 2011-11-09 20:55 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-17 16:06 . 2011-11-09 04:25 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-09 20:54 . 2011-11-09 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2011-11-09 04:25 . 2011-11-09 04:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2011-11-09 20:54 . 2011-11-09 20:54 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2011-11-09 04:25 . 2011-11-09 04:25 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2011-11-09 05:02 . 2011-09-30 16:03 707584 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.0.6002.22722_none_577fedfa601b69cd\wab32.dll
+ 2011-11-09 05:02 . 2011-09-30 15:57 707584 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.0.6002.18521_none_56f54eff46feb385\wab32.dll
+ 2011-11-09 05:02 . 2011-09-20 21:02 913280 c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.22719_none_b58c64c97caa1c43\tcpip.sys
+ 2011-11-09 05:02 . 2011-09-20 21:02 905088 c:\windows\winsxs\x86_microsoft-windows-tcpip-binaries_31bf3856ad364e35_6.0.6002.18519_none_b502c618638c7f52\tcpip.sys
+ 2006-11-02 10:33 . 2011-11-09 21:01 610022 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2011-11-09 04:32 610022 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2011-11-09 21:01 106228 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2011-11-09 04:32 106228 c:\windows\System32\perfc009.dat
+ 2011-11-09 05:07 . 2011-10-03 11:06 157472 c:\windows\System32\javaws.exe
- 2011-06-14 23:23 . 2011-05-04 09:52 157472 c:\windows\System32\javaws.exe
- 2011-06-14 23:23 . 2011-05-04 09:52 145184 c:\windows\System32\javaw.exe
+ 2011-11-09 05:07 . 2011-10-03 11:06 145184 c:\windows\System32\javaw.exe
+ 2011-11-09 05:07 . 2011-10-03 11:06 145184 c:\windows\System32\java.exe
- 2011-06-14 23:23 . 2011-05-04 09:52 145184 c:\windows\System32\java.exe
+ 2009-10-21 01:28 . 2011-11-09 05:07 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2009-10-21 01:28 . 2011-06-14 23:23 262144 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\UsrClass.dat
- 2010-10-21 07:23 . 2011-11-09 04:23 395252 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2010-10-21 07:23 . 2011-11-09 20:53 395252 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2011-11-09 05:02 . 2011-09-30 14:00 1098752 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.0.6002.22722_none_577fedfa601b69cd\wab32res.dll
+ 2006-11-02 07:28 . 2006-11-02 07:28 1098752 c:\windows\winsxs\x86_microsoft-windows-wab-core_31bf3856ad364e35_6.0.6002.18521_none_56f54eff46feb385\wab32res.dll
+ 2011-11-09 05:02 . 2011-10-17 12:12 2409784 c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6002.22727_none_f4e99c1b81c817b7\OESpamFilter.dat
+ 2011-11-09 05:02 . 2011-10-17 11:41 2409784 c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6002.18529_none_f461fdfe68a8ad74\OESpamFilter.dat
+ 2006-11-02 10:22 . 2011-11-09 20:53 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2006-11-02 10:22 . 2011-10-14 09:19 6553600 c:\windows\System32\SMI\Store\Machine\schema.dat
- 2011-04-24 07:18 . 2011-11-09 04:24 6276400 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2011-04-24 07:18 . 2011-11-09 20:53 6276400 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2010-10-22 07:50 . 2011-11-09 04:24 2628884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2883493492-1982095606-3702794389-1000-8192.dat
+ 2010-10-22 07:50 . 2011-11-09 20:53 2628884 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2883493492-1982095606-3702794389-1000-8192.dat
+ 2011-11-09 20:33 . 2011-11-09 20:33 6537216 c:\windows\ERDNT\Hiv-backup\schema.dat
+ 2006-11-02 10:24 . 2011-11-09 14:44 50295240 c:\windows\System32\mrt.exe
+ 2009-06-17 20:26 . 2011-11-09 05:01 265935148 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn9\YTNavAssist.dll" [2011-03-16 214840]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{A31F34A1-EBD2-45A2-BF6D-231C1B987CC8}]
[HKEY_CLASSES_ROOT\YTNavAssist.YTNavAssistPlugin]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK]
@="{3c3f3c1a-9153-7c05-f938-622e7003894d}"
[HKEY_CLASSES_ROOT\CLSID\{3c3f3c1a-9153-7c05-f938-622e7003894d}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK2]
@="{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}"
[HKEY_CLASSES_ROOT\CLSID\{e6ea1d7d-144e-b977-98c4-84c53c1a69d0}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\MOBK3]
@="{b4caf489-1eec-c617-49ad-8d7088598c06}"
[HKEY_CLASSES_ROOT\CLSID\{b4caf489-1eec-c617-49ad-8d7088598c06}]
2010-04-14 02:11 2872120 ----a-w- c:\program files\McAfee Online Backup\MOBKshell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-25 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Spotify"="c:\users\cliff\AppData\Roaming\Spotify\Spotify.exe" [2011-10-18 6710912]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HWSetup"="\HWSetup.exe hwSetUP" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-20 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-20 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-20 129560]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-01-22 712704]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2006-09-11 180224]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-29 75136]
"NDSTray.exe"="NDSTray.exe" [BU]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-03-23 438272]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-11-15 29744]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-30 4911104]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Skytel"="Skytel.exe" [2007-11-21 1826816]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"SweetIM"="c:\program files\SweetIM\Messenger\SweetIM.exe" [2010-03-17 106496]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-09-16 1318552]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"HTC Sync Loader"="c:\program files\HTC\HTC Sync 3.0\htcUPCTLoader.exe" [2011-08-22 593920]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2011-02-25 1770400]
.
c:\users\cliff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Advanced Registry Optimizer.lnk - c:\program files\Advanced Registry Optimizer\ARO.exe [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
McAfee Online Backup Status.lnk - c:\program files\McAfee Online Backup\MOBKstat.exe [2010-4-13 3045176]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-11-15 29744]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 135664]
R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-06-10 24576]
R3 htcnprot;HTC NDIS Protocol Driver;c:\windows\system32\DRIVERS\htcnprot.sys [2010-06-23 23040]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [2007-10-30 937984]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-08-31 22216]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-08-15 87808]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S0 rpcnetp;rpcnetp; [x]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2007-09-01 20352]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2011-08-15 64712]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2011-08-15 164776]
S1 MOBKFilter;MOBKFilter;c:\windows\system32\DRIVERS\MOBK.sys [2010-04-14 54776]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2007-12-25 40960]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 214904]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2011-08-19 160344]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-08-19 148520]
S2 MOBKbackup;McAfee Online Backup;c:\program files\McAfee Online Backup\MOBKbackup.exe [2010-04-14 229688]
S2 PassThru Service;Internet Pass-Through Service;c:\program files\HTC\Internet Pass-Through\PassThruSvr.exe [2011-08-12 87040]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-08-15 57432]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-08-15 338040]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2011-04-27 18:42 114176 ----a-w- c:\windows\System32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 00:24]
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-05 00:24]
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2883493492-1982095606-3702794389-1000Core1cc0223f69c98ab.job
- c:\users\cliff\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-08 21:58]
.
2011-11-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2883493492-1982095606-3702794389-1000UA.job
- c:\users\cliff\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-08 21:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mStart Page = hxxp://home.sweetim.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\users\cliff\AppData\Roaming\Mozilla\Firefox\Profiles\hrl7wxku.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2423966&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/gamers_tbar/ws/redir?_iceUrl=true&user_id=60391033&tool_id=62781&qkw=
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-09 14:56
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5496)
c:\program files\McAfee Online Backup\MOBKshell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\windows\system32\agrsmsvc.exe
c:\windows\system32\rundll32.exe
c:\toshiba\IVP\ISM\pinger.exe
c:\windows\System32\rpcnetp.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\system32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Xobni\XobniService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\NOTEPAD.EXE
.
**************************************************************************
.
Completion time: 2011-11-09 15:20:23 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-09 21:18
ComboFix2.txt 2011-11-09 04:51
.
Pre-Run: 57,296,318,464 bytes free
Post-Run: 57,042,976,768 bytes free
.
- - End Of File - - C2C9AB3DCC8F589C4F33107E1D16B2C4
  • 0

#12
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Wouldn't mind knowing what that first ComboFix run removed. Locate the following file, and post that log in your next reply:

C:\QooBox\ComboFix-quarantined-files.txt

Let's make some changes, then scan to check what might remain.


REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,\
  00,00
Open Notepad (Start Search, type Notepad then press OK), and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.

---------

Navigate to and delete the orphaned shortcut (which is good - ARO is not considered beneficial software):

c:\users\cliff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Advanced Registry Optimizer.lnk

---------

Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open and update Malwarebytes.

* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform quick scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by Malwarebytes and can be viewed by clicking the Logs tab in Malwarebytes.
* Copy and Paste the entire report in your next reply. If it calls for a reboot to complete the repairs do that as well then.

---------------

Disable your antivirus program and click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file to run the scanner.

If you accept the Terms of Use, check the box and click Start. It will take a couple minutes for the scanner to get ready. When the Computer scan settings display shows, check the following boxes:

Remove found threats
Scan unwanted applications


Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Then click the Advanced option, the place a check next to the following (if it is not already checked):

Enable Anti-Stealth technology

Click Start. This scan may take a while, so please be patient.

If infection is found, at the end of the scan click "List of found threats".

In that display, at the bottom, select the option to save the results as a text file, and save that to your desktop. Post that back here please.

Post that log and the Malwarebytes log please.
  • 0

#13
dantemic1

dantemic1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I don't know how to do this step "Navigate to and delete the orphaned shortcut (which is good - ARO is not considered beneficial software):

c:\users\cliff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Advanced Registry Optimizer.lnk" but I have done the rest. If you could tell me how to find that you want me to delete I can do it but I am not that computer literate just yet. Here are the logs you have asked for. For the one that you just had me download there isn't a report for it because it says no threats were found.

2011-11-09 04:58:01 . 2011-11-09 16:57:26 180,224 ----a-w- C:\Qoobox\Quarantine\C\Users\cliff\AppData\Local\Temp\1.tmp\F_IN_BOX.dll.vir
2011-11-09 04:47:20 . 2011-11-09 04:47:20 166 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Messenger (Yahoo!).reg.dat
2011-11-09 04:47:20 . 2011-11-09 04:47:20 180 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-ISUSPM.reg.dat
2011-11-09 04:47:20 . 2011-11-09 04:47:20 163 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-DW6.reg.dat
2011-11-09 04:47:20 . 2011-11-09 04:47:20 165 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-msnmsgr.reg.dat
2011-11-09 04:47:06 . 2011-11-09 04:47:06 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593}.reg.dat
2011-11-09 04:47:06 . 2011-11-09 04:47:06 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847}.reg.dat
2011-11-09 04:12:38 . 2011-11-09 20:44:17 7,594 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2011-11-09 03:58:38 . 2011-11-09 20:35:41 246 ----a-w- C:\Qoobox\Quarantine\catchme.log
2011-10-13 16:54:31 . 2011-10-13 16:54:31 51 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\drivers\etc\lmhosts.vir
2007-11-07 13:03:18 . 2007-11-07 13:03:18 562,688 ----a-w- C:\Qoobox\Quarantine\C\Install.exe.vir
2006-12-12 19:13:20 . 2006-12-12 19:13:20 32,768 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\XP\EBLib.dll.vir
2006-06-23 00:27:12 . 2006-06-23 00:27:12 11,264 ----a-w- C:\Qoobox\Quarantine\C\ProgramData\XP\TPwSav.sys.vir



Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8147

Windows 6.0.6002 Service Pack 2
Internet Explorer 9.0.8112.16421

11/12/2011 12:01:06 PM
mbam-log-2011-11-12 (12-01-06).txt

Scan type: Quick scan
Objects scanned: 174092
Time elapsed: 6 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#14
Jintan

Jintan

    Trusted Helper

  • Malware Removal
  • 904 posts
Just need to right click Computer, left click Explore (or open), then use the small drop downs to the left of the list to navigate to this file, and delete it:

c:\users\cliff\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Advanced Registry Optimizer.lnk


No active infection being found, and looks like ComboFix removed some legit Toshiba files by mistake. Let's have ComboFix put those back. Aside from doing that, things look okay here. Are there any problems we have yet to address?


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


Open notepad (go to Start Search, type notepad and press Enter) and copy/paste the text in the codebox below into it:

DEQUARANTINE::
C:\Qoobox\Quarantine\C\ProgramData\XP\EBLib.dll.vir
C:\Qoobox\Quarantine\C\ProgramData\XP\TPwSav.sys.vir
QUIT::
Save this to your desktop as CFScript.txt


You should now have both ComboFix and that CFScript.txt on the desktop. Just left click/hold on the CFScript.txt file, and drag it into ComboFix to start the scan.

ComboFix will run a brief limited scan, after which a log will pop up (also located at C:\DeQuarantine.txt). Post that back here please.
  • 0

#15
dantemic1

dantemic1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I will be gone for a few days cause my mom just had quadruple bypass surgery today. I wanted to let you know so you didn't think I just stopped doing this stuff. :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP