Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

ILivid and Bandoo Media stuff and Searchqu, which hijacked the search

Started by mouseandmoon , Nov 15 2011 05:41 AM

  • This topic is locked This topic is locked

#1
mouseandmoon
Posted 15 November 2011 - 05:41 AM

mouseandmoon

    New Member

  • Member
  • Pip
  • 3 posts
Searchqu hijacked my search bar in firefox - I have removed it and uninstalled it in control panel but Ilivid will not uninstall and they are both probably in my registry for next time I reboot and I can't get rid of them. I have got a hijack this log and GMER log etc. I can post these if necessary can anyone help me? Thanks
  • 0

Advertisements

#2
SweetTech
Posted 15 November 2011 - 12:07 PM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :yes:

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together :)
    Because of this, you must reply within three days     failure to reply will result in the topic being closed!
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Scanning with GMER

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.


Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and attach it in your reply.

Notes:
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.



NEXT:



Running OTL

We need to create a FULL OTL Report
  • Please download OTL from here:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized

NEXT:


Please provide an update on how things are running in your next reply.
  • 0

#3
mouseandmoon
Posted 16 November 2011 - 05:35 AM

mouseandmoon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi ST
Thanks for your reply and offer of help - I have run all the reports as requested and will copy and paste them into this reply below. My PC seems to be running quite slow but the searchqu seems to have gone and has not hijacked my firefox toolbar again but I still can't get rid of the ilivid progrem through the control panel add/remove programs.

Would welcome suggestions or fixes that might solve these problems and any other you might pick up while scanning my report logs.
Thankyou
Mouseandmoon

GMER LOG:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-16 11:00:46
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 IC35L090AVV207-0 rev.V23OA66A
Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uwldipow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF76C7D70]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF76C7D84]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF76C7DB0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF76C7E06]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF76C7D5C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF76C7D34]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF76C7D48]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF76C7D9A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF76C7DDC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF76C7DC6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF76C7E30]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF76C7E1C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF76C7DF0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6BB2F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[760] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[760] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Messenger\msmsgs.exe[764] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0FEF
.text C:\Program Files\Messenger\msmsgs.exe[764] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE0025
.text C:\Program Files\Messenger\msmsgs.exe[764] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE000A
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD000A
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD00B3
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD0098
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0FBE
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0087
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD006C
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD00EB
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0F99
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD0106
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F6D
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD012B
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0FE5
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD001B
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD00C4
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD0051
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD0036
.text C:\Program Files\Messenger\msmsgs.exe[764] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD0F88
.text C:\Program Files\Messenger\msmsgs.exe[764] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 011D0053
.text C:\Program Files\Messenger\msmsgs.exe[764] msvcrt.dll!system 77C293C7 5 Bytes JMP 011D0038
.text C:\Program Files\Messenger\msmsgs.exe[764] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 011D0FD2
.text C:\Program Files\Messenger\msmsgs.exe[764] msvcrt.dll!_open 77C2F566 5 Bytes JMP 011D0FEF
.text C:\Program Files\Messenger\msmsgs.exe[764] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 011D0027
.text C:\Program Files\Messenger\msmsgs.exe[764] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 011D000C
.text C:\Program Files\Messenger\msmsgs.exe[764] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FC0
.text C:\Program Files\Messenger\msmsgs.exe[764] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0F68
.text C:\Program Files\Messenger\msmsgs.exe[764] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FDB
.text C:\Program Files\Messenger\msmsgs.exe[764] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF001B
.text C:\Program Files\Messenger\msmsgs.exe[764] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0F83
.text C:\Program Files\Messenger\msmsgs.exe[764] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0000
.text C:\Program Files\Messenger\msmsgs.exe[764] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00FF0F9E
.text C:\Program Files\Messenger\msmsgs.exe[764] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1F, 89]
.text C:\Program Files\Messenger\msmsgs.exe[764] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0FAF
.text C:\Program Files\Messenger\msmsgs.exe[764] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011C0000
.text C:\Program Files\Messenger\msmsgs.exe[764] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 011B0000
.text C:\Program Files\Messenger\msmsgs.exe[764] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 011B001B
.text C:\Program Files\Messenger\msmsgs.exe[764] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 011B002C
.text C:\Program Files\Messenger\msmsgs.exe[764] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 011B0FDB
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 0091000A
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 0091001B
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 3 Bytes JMP 00910FEF
.text C:\WINDOWS\System32\svchost.exe[916] ntdll.dll!NtProtectVirtualMemory + 4 7C90D6F2 1 Byte [84]
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00900F6F
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0090006E
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00900051
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00900040
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00900FAF
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00900F4D
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00900F5E
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00900F32
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009000CB
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009000E6
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00900F94
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00900FEF
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0090007F
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0090001B
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00900FD4
.text C:\WINDOWS\System32\svchost.exe[916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009000BA
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0092004A
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00920065
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00920025
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00920FEF
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00920FB2
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0092000A
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00920FCD
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B2, 88] {MOV DL, 0x88}
.text C:\WINDOWS\System32\svchost.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00920FDE
.text C:\WINDOWS\System32\svchost.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BA003D
.text C:\WINDOWS\System32\svchost.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BA0FB2
.text C:\WINDOWS\System32\svchost.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BA0FD7
.text C:\WINDOWS\System32\svchost.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BA0000
.text C:\WINDOWS\System32\svchost.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BA0022
.text C:\WINDOWS\System32\svchost.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BA0011
.text C:\WINDOWS\System32\svchost.exe[916] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00930000
.text C:\WINDOWS\System32\svchost.exe[916] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00930FE5
.text C:\WINDOWS\System32\svchost.exe[916] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00930FCA
.text C:\WINDOWS\System32\svchost.exe[916] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 00930011
.text C:\WINDOWS\System32\svchost.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0004000A
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0004002C
.text C:\WINDOWS\system32\services.exe[1068] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0004001B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00060F5A
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00060F6B
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00060F7C
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00060F8D
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00060098
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00060087
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000600A9
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00060F1A
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00060EF5
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00060039
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0006006A
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00060014
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00060F2B
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00050FC3
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00050F72
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00050F83
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\services.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00050F9E
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00900FB9
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00900FCA
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0090003A
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00900000
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00900FDB
.text C:\WINDOWS\system32\services.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0090001D
.text C:\WINDOWS\system32\services.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BC0FE5
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BC0FCA
.text C:\WINDOWS\system32\lsass.exe[1080] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0078
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F9E
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0FAF
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE00B0
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0093
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE0F2B
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE0F46
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F1A
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0051
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F68
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FCA
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0025
.text C:\WINDOWS\system32\lsass.exe[1080] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0F57
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FC3
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F8D
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FD4
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD004A
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD002F
.text C:\WINDOWS\system32\lsass.exe[1080] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FA8
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E90FA6
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E90FB7
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E9001D
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E90FC8
.text C:\WINDOWS\system32\lsass.exe[1080] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E90FE3
.text C:\WINDOWS\system32\lsass.exe[1080] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\svchost.exe[1244] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1244] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A00FC3
.text C:\WINDOWS\system32\svchost.exe[1244] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A00FD4
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A20FEF
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A200A2
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A20FA3
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A2007D
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A2006C
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A20FCA
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A20F81
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A200BD
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A200F8
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A20F5F
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A20F44
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A2005B
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A2000A
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A20F92
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A20036
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A20025
.text C:\WINDOWS\system32\svchost.exe[1244] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A20F70
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A1002F
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A10FA8
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A10FD4
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A10FEF
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A10065
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A10000
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A1004A
.text C:\WINDOWS\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A10FB9
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA0F86
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA0FA1
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA0FC6
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA0011
.text C:\WINDOWS\system32\svchost.exe[1244] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA0FD7
.text C:\WINDOWS\system32\svchost.exe[1244] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A30FEF
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A40FD4
.text C:\WINDOWS\system32\svchost.exe[1384] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60080
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A60065
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A60054
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60F97
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A60FA8
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A600AC
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A6009B
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A60F24
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A600BD
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A600D8
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A60039
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A60FDE
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A60F70
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A60014
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A60FCD
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A60F49
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A50069
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A50FDB
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50058
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A50FC0
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C5, 88]
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A50047
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B50042
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B50031
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B50FD2
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B50FEF
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B50FC1
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B5000C
.text C:\WINDOWS\system32\svchost.exe[1384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A70000
.text C:\WINDOWS\System32\svchost.exe[1508] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 029E0000
.text C:\WINDOWS\System32\svchost.exe[1508] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 029E0FCA
.text C:\WINDOWS\System32\svchost.exe[1508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 029E0FE5
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03E20FEF
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03E20093
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03E20078
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03E2005B
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03E20F9E
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03E2002F
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03E200C1
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03E20F79
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 03E20F3C
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03E20F4D
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03E200F0
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03E20040
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03E2000A
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03E200A4
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03E20FC3
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03E20FD4
.text C:\WINDOWS\System32\svchost.exe[1508] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03E20F5E
.text C:\WINDOWS\System32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03E10FE5
.text C:\WINDOWS\System32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03E1006C
.text C:\WINDOWS\System32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03E1002C
.text C:\WINDOWS\System32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03E1001B
.text C:\WINDOWS\System32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03E10FAF
.text C:\WINDOWS\System32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03E10000
.text C:\WINDOWS\System32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03E10051
.text C:\WINDOWS\System32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03E10FD4
.text C:\WINDOWS\System32\svchost.exe[1508] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03E40F90
.text C:\WINDOWS\System32\svchost.exe[1508] msvcrt.dll!system 77C293C7 5 Bytes JMP 03E4001B
.text C:\WINDOWS\System32\svchost.exe[1508] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03E40FC6
.text C:\WINDOWS\System32\svchost.exe[1508] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03E40000
.text C:\WINDOWS\System32\svchost.exe[1508] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03E40FAB
.text C:\WINDOWS\System32\svchost.exe[1508] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03E40FD7
.text C:\WINDOWS\System32\svchost.exe[1508] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03E30000
.text C:\WINDOWS\System32\svchost.exe[1508] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02A00FEF
.text C:\WINDOWS\System32\svchost.exe[1508] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02A0000A
.text C:\WINDOWS\System32\svchost.exe[1508] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02A00FD4
.text C:\WINDOWS\System32\svchost.exe[1508] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 02A00FB9
.text C:\WINDOWS\System32\svchost.exe[1600] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 008D0000
.text C:\WINDOWS\System32\svchost.exe[1600] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 008D0FCA
.text C:\WINDOWS\System32\svchost.exe[1600] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008D0FDB
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008F0FEF
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008F0F76
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008F006B
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008F004E
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008F0F9B
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008F003D
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008F0092
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008F0F40
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008F00CF
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008F00B4
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008F00EA
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008F0FAC
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008F0000
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008F0F5B
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008F002C
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008F0011
.text C:\WINDOWS\System32\svchost.exe[1600] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008F00A3
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008E0FAF
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008E0F43
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 008E0FCA
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008E0000
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008E0F54
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008E0FE5
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008E0F79
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AE, 88]
.text C:\WINDOWS\System32\svchost.exe[1600] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008E0F94
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00910055
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!system 77C293C7 5 Bytes JMP 00910FCA
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00910044
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00910FE5
.text C:\WINDOWS\System32\svchost.exe[1600] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0091001D
.text C:\WINDOWS\System32\svchost.exe[1600] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00900000
.text C:\WINDOWS\System32\svchost.exe[1756] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00AE000A
.text C:\WINDOWS\System32\svchost.exe[1756] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00AE0036
.text C:\WINDOWS\System32\svchost.exe[1756] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00AE001B
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B00000
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B00F83
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B00078
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B0005D
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B00F94
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B00FAF
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B00F46
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B00F57
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B00F1A
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B000A9
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B00EFF
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B00036
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B00F68
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B0001B
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B00FD4
.text C:\WINDOWS\System32\svchost.exe[1756] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B00F2B
.text C:\WINDOWS\System32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AF002C
.text C:\WINDOWS\System32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AF0F9E
.text C:\WINDOWS\System32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AF001B
.text C:\WINDOWS\System32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AF0FE5
.text C:\WINDOWS\System32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AF0FAF
.text C:\WINDOWS\System32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AF0000
.text C:\WINDOWS\System32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AF0047
.text C:\WINDOWS\System32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AF0FC0
.text C:\WINDOWS\System32\svchost.exe[1756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0047
.text C:\WINDOWS\System32\svchost.exe[1756] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0022
.text C:\WINDOWS\System32\svchost.exe[1756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FCD
.text C:\WINDOWS\System32\svchost.exe[1756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINDOWS\System32\svchost.exe[1756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE0FBC
.text C:\WINDOWS\System32\svchost.exe[1756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0011
.text C:\WINDOWS\System32\svchost.exe[1756] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B10000
.text C:\WINDOWS\Explorer.EXE[1992] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 012A0FE5
.text C:\WINDOWS\Explorer.EXE[1992] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 012A0FD4
.text C:\WINDOWS\Explorer.EXE[1992] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 012A000A
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 011D0000
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 011D00BD
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 011D0098
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 011D0FCA
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 011D007D
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 011D0062
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011D00FC
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 011D00DF
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011D014D
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 011D0132
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 011D0F8F
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 011D0FDB
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 011D001B
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 011D00CE
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 011D0047
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 011D002C
.text C:\WINDOWS\Explorer.EXE[1992] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011D0117
.text C:\WINDOWS\Explorer.EXE[1992] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CE0FB9
.text C:\WINDOWS\Explorer.EXE[1992] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CE0F6F
.text C:\WINDOWS\Explorer.EXE[1992] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CE000A
.text C:\WINDOWS\Explorer.EXE[1992] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CE0FD4
.text C:\WINDOWS\Explorer.EXE[1992] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CE0F94
.text C:\WINDOWS\Explorer.EXE[1992] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CE0FE5
.text C:\WINDOWS\Explorer.EXE[1992] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CE0036
.text C:\WINDOWS\Explorer.EXE[1992] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CE0025
.text C:\WINDOWS\Explorer.EXE[1992] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 012D0070
.text C:\WINDOWS\Explorer.EXE[1992] msvcrt.dll!system 77C293C7 5 Bytes JMP 012D005F
.text C:\WINDOWS\Explorer.EXE[1992] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 012D003A
.text C:\WINDOWS\Explorer.EXE[1992] msvcrt.dll!_open 77C2F566 5 Bytes JMP 012D000C
.text C:\WINDOWS\Explorer.EXE[1992] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 012D0FE5
.text C:\WINDOWS\Explorer.EXE[1992] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 012D0029
.text C:\WINDOWS\Explorer.EXE[1992] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 012B0FEF
.text C:\WINDOWS\Explorer.EXE[1992] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 012B0014
.text C:\WINDOWS\Explorer.EXE[1992] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 012B0025
.text C:\WINDOWS\Explorer.EXE[1992] WININET.dll!InternetOpenUrlW 3D9984A1 5 Bytes JMP 012B0040
.text C:\WINDOWS\Explorer.EXE[1992] WS2_32.dll!socket 71AB4211 5 Bytes JMP 012C000A
.text C:\WINDOWS\System32\svchost.exe[2640] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\System32\svchost.exe[2640] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C40FDE
.text C:\WINDOWS\System32\svchost.exe[2640] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C40014
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C30000
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C30F6D
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C30062
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C30F88
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C30FA5
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C30036
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C3009A
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C30F52
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C30F23
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C300BC
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C30F12
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C30047
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C3007D
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C30FC0
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C3001B
.text C:\WINDOWS\System32\svchost.exe[2640] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C300AB
.text C:\WINDOWS\System32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50FC3
.text C:\WINDOWS\System32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C50F6B
.text C:\WINDOWS\System32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\System32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C5000A
.text C:\WINDOWS\System32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C50F90
.text C:\WINDOWS\System32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50FEF
.text C:\WINDOWS\System32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C50FA1
.text C:\WINDOWS\System32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E5, 88] {IN EAX, 0x88}
.text C:\WINDOWS\System32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50FB2
.text C:\WINDOWS\System32\svchost.exe[2640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C6006B
.text C:\WINDOWS\System32\svchost.exe[2640] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C6005A
.text C:\WINDOWS\System32\svchost.exe[2640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C6002E
.text C:\WINDOWS\System32\svchost.exe[2640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\System32\svchost.exe[2640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C6003F
.text C:\WINDOWS\System32\svchost.exe[2640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60011
.text C:\Program Files\Mozilla Firefox\firefox.exe[3212] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01222EC0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- EOF - GMER 1.0.15 ----



OTL LOG:

OTL logfile created on: 16/11/2011 11:14:24 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1022.00 Mb Total Physical Memory | 479.27 Mb Available Physical Memory | 46.90% Memory free
2.40 Gb Paging File | 1.76 Gb Available in Paging File | 73.39% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 51.86 Gb Free Space | 69.61% Space Free | Partition Type: NTFS
Drive J: | 465.65 Gb Total Space | 321.02 Gb Free Space | 68.94% Space Free | Partition Type: FAT32

Computer Name: MOUSEANDMOON | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/11/16 11:12:47 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Administrator\My Documents\Downloads\OTL.exe
PRC - [2011/11/10 06:26:44 | 000,924,632 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/10/26 18:01:01 | 000,641,400 | ---- | M] (BitTorrent, Inc.) -- C:\Program Files\uTorrent\uTorrent.exe
PRC - [2011/06/28 06:01:30 | 001,195,408 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/04/14 13:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2011/04/14 13:01:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2011/03/13 10:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2009/12/07 11:50:52 | 001,584,640 | ---- | M] (Alcatel-Lucent) -- C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
PRC - [2008/04/14 00:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/13 18:47:52 | 000,266,240 | ---- | M] () -- C:\Program Files\EZ-DUB\EZ-DUB.exe
PRC - [2004/12/13 03:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


========== Modules (No Company Name) ==========

MOD - [2011/11/10 06:26:39 | 001,989,592 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2011/11/08 06:53:58 | 000,076,800 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dwzvoz91.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}\components\RadioWMPCoreGecko8.dll
MOD - [2011/05/26 12:42:00 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2005/09/13 18:47:52 | 000,266,240 | ---- | M] () -- C:\Program Files\EZ-DUB\EZ-DUB.exe


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (HidServ)
SRV - [2011/04/14 13:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2011/04/14 13:01:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/03/13 10:45:14 | 000,148,520 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 19:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2005/07/25 14:25:18 | 000,491,520 | ---- | M] ( ) [On_Demand | Stopped] -- C:\WINDOWS\System32\lxcfcoms.exe -- (lxcf_device)
SRV - [2004/12/13 03:34:32 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)


========== Driver Services (SafeList) ==========

DRV - [2011/05/26 15:03:56 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2011/05/26 15:03:50 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2011/04/14 13:01:38 | 000,314,088 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/04/14 13:01:38 | 000,153,280 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/04/14 13:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2011/04/14 13:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2011/04/14 13:01:38 | 000,084,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/04/14 13:01:38 | 000,084,200 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/04/14 13:01:38 | 000,056,064 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2011/04/14 13:01:38 | 000,052,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2011/03/13 10:20:10 | 000,459,728 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/03/13 10:20:10 | 000,118,784 | ---- | M] (McAfee, Inc.) [Kernel | Unknown | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/04/28 06:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2004/12/22 20:47:10 | 000,027,392 | ---- | M] (Ulead Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ULCDRHlp.sys -- (ULCDRHlp)
DRV - [2004/09/17 08:02:54 | 000,732,928 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\senfilt.sys -- (senfilt)
DRV - [2003/06/30 17:11:52 | 000,043,136 | R--- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2001/08/22 07:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1645522239-562591055-725345543-500\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKU\S-1-5-21-1645522239-562591055-725345543-500\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-1645522239-562591055-725345543-500\..\URLSearchHook: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1645522239-562591055-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1645522239-562591055-725345543-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search Results"
FF - prefs.js..browser.search.order.1: "Search Results"
FF - prefs.js..browser.search.selectedEngine: "Search Results"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk"

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeLive,version=1.3: C:\Program Files\Microsoft\Office Live\npOLW.dll (Microsoft Corp.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@Motive.com/NpMotive,version=1.0: C:\Program Files\Common Files\Motive\npMotive.dll (Motive, Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2011/11/13 23:01:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/11/10 06:26:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 8.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/11/15 05:56:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Extensions
[2011/11/15 05:56:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dwzvoz91.default\extensions
[2011/11/08 11:59:18 | 000,000,000 | ---D | M] (uTorrentBar Community Toolbar) -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dwzvoz91.default\extensions\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}
[2011/11/14 18:20:41 | 000,002,519 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dwzvoz91.default\searchplugins\Search_Results.xml
[2011/11/15 05:56:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/10/15 09:25:35 | 000,000,000 | ---D | M] (Skype Click to Call) -- C:\Program Files\Mozilla Firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
[2011/11/13 23:01:01 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2011/11/10 06:26:44 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/04/14 13:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2011/09/28 20:16:45 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2011/09/28 20:16:45 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2011/09/28 20:16:45 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2011/09/28 20:16:45 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2011/11/14 18:20:41 | 000,002,519 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
[2011/09/28 20:16:45 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/05/26 20:20:19 | 000,001,362 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110608181346.dll (McAfee, Inc.)
O2 - BHO: (Skype Browser Helper) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (uTorrentBar Toolbar) - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-1645522239-562591055-725345543-500\..\Toolbar\WebBrowser: (uTorrentBar Toolbar) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - C:\Program Files\uTorrentBar\prxtbuTor.dll (Conduit Ltd.)
O4 - HKLM..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe (Alcatel-Lucent)
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKU\S-1-5-21-1645522239-562591055-725345543-500..\Run: [uTorrent] C:\Program Files\uTorrent\uTorrent.exe (BitTorrent, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EZ-DUB Finder.lnk = C:\Program Files\EZ-DUB\EZ-DUB.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1645522239-562591055-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1645522239-562591055-725345543-500\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = -1
O9 - Extra Button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.micros...b?1307543478790 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.mi...b?1307545561937 (MUWebControl Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.m...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{ADA3672A-863B-417B-A23A-0E46DB2DF256}: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2011/06/08 14:00:40 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{4a53ee93-ffbd-11e0-acf9-000bdbb1f289}\Shell - "" = AutoRun
O33 - MountPoints2\{4a53ee93-ffbd-11e0-acf9-000bdbb1f289}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4a53ee93-ffbd-11e0-acf9-000bdbb1f289}\Shell\AutoRun\command - "" = IomegaEncryptionSetup v1.3.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/11/16 07:40:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/11/15 13:18:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\MSN6
[2011/11/15 13:18:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\MSN6
[2011/11/15 07:04:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\My Documents\My Videos
[2011/11/15 07:04:14 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\Administrative Tools
[2011/11/15 06:55:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Start Menu\Programs\HiJackThis
[2011/11/15 06:55:18 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2011/11/14 18:25:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\boost_interprocess
[2011/11/14 18:23:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{08E30618-5D06-461B-BBD3-4ADFB0810824}
[2011/11/14 18:23:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iLivid
[2011/11/14 18:22:36 | 000,000,000 | ---D | C] -- C:\Program Files\iLivid
[2011/11/14 18:20:38 | 000,000,000 | ---D | C] -- C:\Program Files\Windows iLivid Toolbar
[2011/11/14 18:19:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\PackageAware
[2011/11/11 03:34:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[2011/11/10 03:21:14 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\Logs
[2011/10/26 18:25:53 | 000,000,000 | ---D | C] -- C:\Gregory David Roberts - Shantaram
[2011/10/26 18:12:43 | 000,000,000 | ---D | C] -- C:\The Time Traveler's Wife - Audrey Niffenegger
[2011/10/26 18:12:39 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2011/10/26 18:08:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\uTorrentBar
[2011/10/26 18:06:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\Conduit
[2011/10/26 18:02:28 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrentBar
[2011/10/26 18:01:00 | 000,000,000 | ---D | C] -- C:\Program Files\uTorrent
[2011/10/26 18:00:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Local Settings\Application Data\uTorrent
[2011/10/26 18:00:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator\Application Data\uTorrent
[2011/10/20 06:27:43 | 000,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusb.dll
[2011/10/20 06:27:42 | 000,015,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\usbscan.sys
[2011/10/20 06:27:34 | 000,159,232 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ptpusd.dll
[2011/06/08 15:02:17 | 012,340,504 | ---- | C] (Mozilla) -- C:\Program Files\Firefox Setup 4.0.1.exe
[2011/06/08 14:37:52 | 004,184,000 | ---- | C] (McAfee, Inc.) -- C:\Program Files\McAfeeSetup-Serial.exe
[2011/06/08 08:56:44 | 001,134,592 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfusb1.dll
[2011/06/08 08:56:39 | 001,183,744 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfserv.dll
[2011/06/08 08:56:37 | 000,155,648 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfprox.dll
[2011/06/08 08:56:35 | 000,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfpplc.dll
[2011/06/08 08:56:33 | 000,483,328 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcflmpm.dll
[2011/06/08 08:56:31 | 000,372,736 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfih.exe
[2011/06/08 08:56:27 | 000,491,520 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcoms.exe
[2011/06/08 08:56:27 | 000,413,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomm.dll
[2011/06/08 08:56:26 | 000,704,512 | ---- | C] ( ) -- C:\WINDOWS\System32\lxcfcomc.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/11/16 10:32:00 | 000,000,900 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2011/11/16 10:32:00 | 000,000,896 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2011/11/16 07:48:18 | 000,324,803 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\photo c161111.JPG
[2011/11/16 07:48:18 | 000,311,959 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\photo b161111.JPG
[2011/11/16 07:48:18 | 000,287,571 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\photo d161111.JPG
[2011/11/16 07:48:17 | 000,297,711 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\photo a161111.JPG
[2011/11/16 07:40:11 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\BT NetProtect Plus.lnk
[2011/11/16 07:38:38 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2011/11/16 07:35:56 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/16 07:32:27 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/15 16:35:25 | 000,002,481 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Excel.lnk
[2011/11/15 16:28:18 | 000,002,483 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\Microsoft Word.lnk
[2011/11/15 06:55:37 | 000,002,463 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2011/11/15 05:54:22 | 000,000,040 | ---- | M] () -- C:\Documents and Settings\All Users\Documents\_rgpl
[2011/11/14 23:32:33 | 000,268,923 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\photo a151111.JPG
[2011/11/14 23:32:33 | 000,259,878 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\photo c151111.JPG
[2011/11/14 23:32:33 | 000,259,813 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\photo b151111.JPG
[2011/11/14 23:32:31 | 000,291,353 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\photo d151111.JPG
[2011/11/10 05:39:41 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2011/11/10 03:04:57 | 000,001,393 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2011/11/08 16:22:54 | 000,801,925 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\simply forged 2011 jpeg.jpg
[2011/10/30 22:36:36 | 000,433,696 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/10/30 22:36:36 | 000,068,476 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/28 06:37:42 | 000,037,342 | ---- | M] () -- C:\Documents and Settings\Administrator\Desktop\bhealthyandnatural.JPG
[2011/10/27 06:21:53 | 000,011,264 | ---- | M] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/10/26 18:20:24 | 000,732,500 | ---- | M] () -- C:\Khaled Hosseini - A Thousand Splendid Suns.pdf
[2011/10/26 18:01:23 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/10/26 18:01:22 | 000,000,630 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/11/16 07:48:16 | 000,324,803 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\photo c161111.JPG
[2011/11/16 07:48:16 | 000,311,959 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\photo b161111.JPG
[2011/11/16 07:48:14 | 000,297,711 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\photo a161111.JPG
[2011/11/15 06:55:22 | 000,002,463 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\HiJackThis.lnk
[2011/11/15 05:54:22 | 000,000,040 | ---- | C] () -- C:\Documents and Settings\All Users\Documents\_rgpl
[2011/11/14 23:32:31 | 000,291,353 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\photo d151111.JPG
[2011/11/14 23:32:31 | 000,287,571 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\photo d161111.JPG
[2011/11/14 23:32:31 | 000,259,878 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\photo c151111.JPG
[2011/11/14 23:32:31 | 000,259,813 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\photo b151111.JPG
[2011/11/14 23:32:30 | 000,268,923 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\photo a151111.JPG
[2011/11/10 03:23:36 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\BT NetProtect Plus.lnk
[2011/11/08 16:22:49 | 000,801,925 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\simply forged 2011 jpeg.jpg
[2011/10/28 06:37:40 | 000,037,342 | ---- | C] () -- C:\Documents and Settings\Administrator\Desktop\bhealthyandnatural.JPG
[2011/10/26 18:15:34 | 000,732,500 | ---- | C] () -- C:\Khaled Hosseini - A Thousand Splendid Suns.pdf
[2011/10/26 18:01:22 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\µTorrent.lnk
[2011/10/26 18:01:22 | 000,000,630 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\µTorrent.lnk
[2011/06/10 19:13:11 | 000,011,264 | ---- | C] () -- C:\Documents and Settings\Administrator\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/06/08 19:00:39 | 000,024,630 | ---- | C] () -- C:\Documents and Settings\Administrator\Application Data\Comma Separated Values (Windows).ADR
[2011/06/08 18:16:43 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/06/08 18:06:27 | 000,000,056 | -H-- | C] () -- C:\WINDOWS\System32\ezsidmv.dat
[2011/06/08 15:14:32 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2011/06/08 15:02:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/06/08 14:41:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2011/06/08 14:40:35 | 000,243,128 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2011/06/08 14:02:50 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2011/06/08 13:57:51 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2011/06/08 08:56:46 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxcfvs.dll
[2002/09/03 20:07:03 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2002/09/03 20:07:00 | 000,004,594 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2002/09/03 19:51:48 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2002/09/03 19:51:47 | 000,433,696 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2002/09/03 19:51:46 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2002/09/03 19:51:44 | 000,068,476 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2002/09/03 19:50:11 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2002/09/03 19:44:25 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[2002/09/03 19:44:11 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2002/09/03 19:37:19 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2002/09/03 19:36:07 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin

< End of report >


EXTRAS LOG:

OTL Extras logfile created on: 16/11/2011 11:14:24 - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Administrator\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

1022.00 Mb Total Physical Memory | 479.27 Mb Available Physical Memory | 46.90% Memory free
2.40 Gb Paging File | 1.76 Gb Available in Paging File | 73.39% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.50 Gb Total Space | 51.86 Gb Free Space | 69.61% Space Free | Partition Type: NTFS
Drive J: | 465.65 Gb Total Space | 321.02 Gb Free Space | 68.94% Space Free | Partition Type: FAT32

Computer Name: MOUSEANDMOON | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l
.js [@ = JSFile] -- C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe (Macromedia, Inc.)

[HKEY_USERS\S-1-5-21-1645522239-562591055-725345543-500\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
jsfile [open] -- "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1" (Macromedia, Inc.)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
"C:\Program Files\TeamViewer\Version6\TeamViewer.exe" = C:\Program Files\TeamViewer\Version6\TeamViewer.exe:*:Enabled:Teamviewer Remote Control Application -- (TeamViewer GmbH)
"C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe" = C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe:*:Enabled:Teamviewer Remote Control Service -- (TeamViewer GmbH)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1BD07DF4-FB06-41BA-B896-B2DA59000C96}" = Windows Live Toolbar
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2934DCB0-F8EE-11E0-A4A5-B8AC6F97B88E}" = Google Earth Plug-in
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{69995C7A-062A-4A90-A4DF-8C22895DF522}" = iTunes
"{7E30D45E-EEC5-41A6-A613-F3BFB2694ACB}" = EZ-DUB
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics Driver
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{8B4AB829-DFD3-436D-B808-D9733D76C590}" = Macromedia Dreamweaver MX
"{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406}" = iLivid
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{90110409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional
"{90190409-6000-11D3-8CFE-0050048383C9}" = Microsoft Publisher 2002
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A5BA14E0-7384-11D4-BAE7-00409631A2C8}" = Macromedia Extension Manager
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA59DDE4-B672-4621-A016-4C248204957A}" = Skype™ 5.5
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B6CF2967-C81E-40C0-9815-C05774FEF120}" = Skype Click to Call
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}" = Windows Live Family Safety
"{DA898F5C-4C85-4CF4-825B-E05D07DC39DD}" = BT Broadband Support Tools
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F33C4D28-899A-4C3C-868B-9169A121528B}" = EZ-DUB Finder
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"Adobe SVG Viewer" = Adobe SVG Viewer
"BT Broadband Desktop Help" = BT Broadband Desktop Help
"BTHomeHub" = BTHomeHub
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"iLivid" = iLivid
"InstallShield_{52504CE6-E909-4113-B232-4AFEC6543A61}" = Broadcom 440x 10/100 Integrated Controller
"InstallShield_{F33C4D28-899A-4C3C-868B-9169A121528B}" = EZ-DUB Finder
"Lexmark 730 Series" = Lexmark 730 Series
"Lexmark Printer Software Uninstall" = Lexmark Printer Software Uninstall
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 8.0 (x86 en-GB)" = Mozilla Firefox 8.0 (x86 en-GB)
"MSC" = BT NetProtect Plus
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"TeamViewer 6" = TeamViewer 6
"uTorrent" = µTorrent
"uTorrentBar Toolbar" = uTorrentBar Toolbar
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 07/09/2011 04:07:40 | Computer Name = MOUSEANDMOON | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 6.0.1.4259, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 14/09/2011 11:06:55 | Computer Name = MOUSEANDMOON | Source = Application Error | ID = 1000
Description = Faulting application skype.exe, version 5.3.0.120, faulting module
skype.exe, version 5.3.0.120, fault address 0x006827df.

Error - 14/09/2011 14:39:03 | Computer Name = MOUSEANDMOON | Source = Application Error | ID = 1000
Description = Faulting application skype.exe, version 5.3.0.120, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 14/09/2011 14:39:36 | Computer Name = MOUSEANDMOON | Source = Application Error | ID = 1000
Description = Faulting application skype.exe, version 5.3.0.120, faulting module
skype.exe, version 5.3.0.120, fault address 0x00a36c4c.

Error - 20/09/2011 04:16:03 | Computer Name = MOUSEANDMOON | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 20/09/2011 05:08:11 | Computer Name = MOUSEANDMOON | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 20/09/2011 05:08:20 | Computer Name = MOUSEANDMOON | Source = Application Hang | ID = 1002
Description = Hanging application msimn.exe, version 6.0.2900.5512, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 21/09/2011 03:19:02 | Computer Name = MOUSEANDMOON | Source = McLogEvent | ID = 5051
Description = A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
took longer than 90000 ms to complete a request. The process will be terminated.
Thread
id : 3384 (0xd38) Thread address : 0x7C90E514 Thread message : Build VSCORE.14.2.0.835
/ 5400.1158 Object being scanned = \Device\HarddiskVolume2\OUR Documents\Websites\SLSculpture\images\Mother
Child\Mother child sitting\Uma_6087th.jpg by C:\Program Files\Macromedia\Dreamweaver
MX\Dreamweaver.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0)
5006(0)(0) 5004(0)(0)

Error - 27/09/2011 12:48:38 | Computer Name = MOUSEANDMOON | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 10.1.1.33, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 29/09/2011 18:10:06 | Computer Name = MOUSEANDMOON | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 10.1.1.33, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 15/11/2011 14:33:17 | Computer Name = MOUSEANDMOON | Source = atapi | ID = 262155
Description = The driver detected a controller error on \Device\Ide\IdePort0.

Error - 15/11/2011 14:33:58 | Computer Name = MOUSEANDMOON | Source = atapi | ID = 262153
Description = The device, \Device\Ide\IdePort0, did not respond within the timeout
period.

Error - 15/11/2011 18:13:12 | Computer Name = MOUSEANDMOON | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 15/11/2011 18:25:12 | Computer Name = MOUSEANDMOON | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 15/11/2011 18:37:12 | Computer Name = MOUSEANDMOON | Source = Srv | ID = 2019
Description = The server was unable to allocate from the system nonpaged pool because
the pool was empty.

Error - 15/11/2011 18:39:53 | Computer Name = MOUSEANDMOON | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1450

Error - 15/11/2011 18:39:53 | Computer Name = MOUSEANDMOON | Source = Service Control Manager | ID = 7000
Description = The IMAPI CD-Burning COM Service service failed to start due to the
following error: %%1450

Error - 16/11/2011 03:35:47 | Computer Name = MOUSEANDMOON | Source = Service Control Manager | ID = 7022
Description = The McShield service hung on starting.

Error - 16/11/2011 03:36:19 | Computer Name = MOUSEANDMOON | Source = DCOM | ID = 10010
Description = The server {E0EC0F2B-773D-4DD7-BE6C-7D85D6AA6269} did not register
with DCOM within the required timeout.

Error - 16/11/2011 03:37:22 | Computer Name = MOUSEANDMOON | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.


< End of report >
  • 0

#4
SweetTech
Posted 16 November 2011 - 10:54 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi Mouseandmoon,

Are you able to even see the iLivid items in Add/Remove programs??

Can you try removing them using RevoUninstaller?

RevoUninstaller
Download and install Revo Uninstaller
  • Double click the Revo Uninstaller icon on your desktop to start the program
  • Scroll through the listed programs and Right Click on the program you wish to uninstall
  • From the pop out menu choose Uninstall
  • Click Yes to the confirmation dialogue
  • In the next window select the Advanced mode
  • Click Next to start uninstalling the program
  • Answer Yes to confirm the uninstall
  • When the program has completed the four steps, click Next to allow the program to search for leftovers
  • Once complete, click Next, then Finish
  • Repeat the above steps for any other programs you wish to remove.


NEXT:



SystemLook
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :dir
C:\Documents and Settings\All Users\Application Data\boost_interprocess /s
:contents
C:\Documents and Settings\All Users\Documents\_rgpl
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
:Processes
KILLALLPROCESSES
:OTL
FF - prefs.js..browser.search.defaultenginename: "Search Results"
FF - prefs.js..browser.search.order.1: "Search Results"
FF - prefs.js..browser.search.selectedEngine: "Search Results"
[2011/11/14 18:20:41 | 000,002,519 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dwzvoz91.default\searchplugins\Search_Results.xml
[2011/11/14 18:20:41 | 000,002,519 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O33 - MountPoints2\{4a53ee93-ffbd-11e0-acf9-000bdbb1f289}\Shell - "" = AutoRun
O33 - MountPoints2\{4a53ee93-ffbd-11e0-acf9-000bdbb1f289}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4a53ee93-ffbd-11e0-acf9-000bdbb1f289}\Shell\AutoRun\command - "" = IomegaEncryptionSetup v1.3.exe
[2011/11/14 18:23:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{08E30618-5D06-461B-BBD3-4ADFB0810824}
[2011/11/14 18:23:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iLivid
[2011/11/14 18:22:36 | 000,000,000 | ---D | C] -- C:\Program Files\iLivid
[2011/11/14 18:20:38 | 000,000,000 | ---D | C] -- C:\Program Files\Windows iLivid Toolbar
[2011/06/08 15:02:17 | 012,340,504 | ---- | C] (Mozilla) -- C:\Program Files\Firefox Setup 4.0.1.exe

:Reg

:Files
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

  • 0

#5
mouseandmoon
Posted 17 November 2011 - 05:59 PM

mouseandmoon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi

I did what you suggested and the system look reporst is as follows:

SystemLook 30.07.11 by jpshortstuff
Log created at 18:31 on 16/11/2011 by Administrator
Administrator - Elevation successful

========== dir ==========

C:\Documents and Settings\All Users\Application Data\boost_interprocess - Parameters: "/s"

---Files---
None found.

C:\Documents and Settings\All Users\Application Data\boost_interprocess\40B9B89BFAA2CC01 d------ [18:25 14/11/2011]
{1832B446-3F6D-4880-99C1-0B3B26170D94} --a---- 12 bytes [18:25 14/11/2011] [18:25 14/11/2011]

========== contents ==========

C:\Documents and Settings\All Users\Documents\_rgpl - Opened succesfully.

éÙ¿¡²CÚU¾ìÔ–1z/\ír‹hžØе“LvCg±W“~¢

-= EOF =-

Then I ran the OTL with the text you gave me and the screen went blank and did not come back on I had to switch off the PC and have looked for the report log from that and cannot find it in the OTL folder

What do I do now? ILivid seems to have gone from my programs list now.

Thank you
  • 0

#6
SweetTech
Posted 19 November 2011 - 03:21 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Hi!

Can you please try to run this OTL script?

OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.
    :Services
:Processes
KILLALLPROCESSES
:OTL
FF - prefs.js..browser.search.defaultenginename: "Search Results"
FF - prefs.js..browser.search.order.1: "Search Results"
FF - prefs.js..browser.search.selectedEngine: "Search Results"
[2011/11/14 18:20:41 | 000,002,519 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dwzvoz91.default\searchplugins\Search_Results.xml
[2011/11/14 18:20:41 | 000,002,519 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\Search_Results.xml
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O33 - MountPoints2\{4a53ee93-ffbd-11e0-acf9-000bdbb1f289}\Shell - "" = AutoRun
O33 - MountPoints2\{4a53ee93-ffbd-11e0-acf9-000bdbb1f289}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{4a53ee93-ffbd-11e0-acf9-000bdbb1f289}\Shell\AutoRun\command - "" = IomegaEncryptionSetup v1.3.exe
[2011/11/14 18:23:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\{08E30618-5D06-461B-BBD3-4ADFB0810824}
[2011/11/14 18:23:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iLivid
[2011/11/14 18:22:36 | 000,000,000 | ---D | C] -- C:\Program Files\iLivid
[2011/11/14 18:20:38 | 000,000,000 | ---D | C] -- C:\Program Files\Windows iLivid Toolbar
[2011/06/08 15:02:17 | 012,340,504 | ---- | C] (Mozilla) -- C:\Program Files\Firefox Setup 4.0.1.exe
:Reg

:Files
C:\Documents and Settings\All Users\Documents\_rgpl
C:\Documents and Settings\All Users\Application Data\boost_interprocess 
echo,Y|cacls "%WinDir%\system32\drivers\etc\hosts" /G everyone:f /c
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[CreateRestorePoint]
[emptytemp]
[EMPTYFLASH]
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click the OK button.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

  • 0

#7
SweetTech
Posted 29 November 2011 - 02:59 AM

SweetTech

    Sir SpamAlot

  • Retired Staff
  • 7,671 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP