redirect in IE and Firefox

Dell INSPIRON 1525
December 20, 2009 at 08:01:38
Specs: Windows Vista, Celeron 550 2 Ghz
For the last several days I have been getting redirected to Firefox can't find the server at newserversearch.com. whenever I click on a link to a particular website.

I've loaded and ran several spyware, malware programs and also Combofix and nothing has worked so far.

Please help!


See More: redirect in IE and Firefox

Report •


#1
December 20, 2009 at 08:32:59
Please download exeHelper to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Please run RSIT.exe by random/random and post its logs.

Download random's system information tool (RSIT) by random/random from the following link and save it to your desktop.

RSIT.exe

1. Double click on RSIT.exe to launch program.
2.(Vista Users Only) Right click on the RSIT.exe icon and select "Run as Administrator" to run the program.
3. Click Continue at the disclaimer screen.
4. Your firewall may alert you that RSIT is requesting Internet access. Please allow it.
5.Once it has finished, two logs will open: log.txt<-- this will be maximized and info.txt<-- this will be minimized. Both logs will be located at C:\RSIT.exe.

Please post the contents of both logs (in separate post) in your next reply. It may take 3 to 4 post to get the entire log to us.

Download Gmer.exe from the following link.

Link1

1. Disconnect from the Internet and close all running programs.
2. Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
3. Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
4. Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
5. GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
6. If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
7. Now click the Scan button. If you see a rootkit warning window, click OK.
8. When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
9. Click the Copy button and paste the results into your next reply.
•Exit GMER and re-enable all active protection when done.


Report •

#2
December 20, 2009 at 08:36:12
Ok. ran exehelper, here's the text

exeHelper by Raktor
Build 20091220
Run at 09:38:41 on 12/20/09
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--


Report •

#3
December 20, 2009 at 08:41:49
Here's the log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by scott at 2009-12-20 09:41:12
Microsoft® Windows Vista™ Home Basic Service Pack 2
System drive C: has 54 GB (53%) free of 102 GB
Total RAM: 2037 MB (46% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:20 AM, on 12/20/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\scott\Desktop\RSIT.exe
C:\Program Files\trend micro\scott.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?fr=m...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [EverioService] "C:\Program Files\CyberLink\PCM4Everio\EverioService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: McAfee Security Scan.lnk = ?
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://*.mcafee.com
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dock Login Service (DockLoginService) - Stardock Corporation - C:\Program Files\Dell\DellDock\DockLogin.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10786 bytes

======Scheduled tasks folder======

C:\Windows\tasks\McDefragTask.job
C:\Windows\tasks\McQcTask.job
C:\Windows\tasks\VKKMI.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-11-29 436288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{27B4851A-3207-45A2-B947-BE8AFE6163AB}]
McAfee Phishing Filter - c:\PROGRA~1\mcafee\msk\mskapbho.dll [2009-10-02 246800]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
scriptproxy - C:\Program Files\McAfee\VirusScan\scriptsn.dll [2009-11-04 62784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-12-14 263280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll [2009-11-26 764912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]
McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\Dell\BAE\BAE.dll [2006-11-09 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-11-29 436288]
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-02-13 150032]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-12-14 263280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"ECenter"=C:\Dell\E-Center\EULALauncher.exe [2008-02-28 17920]
"Apoint"=C:\Program Files\DellTPad\Apoint.exe [2008-05-04 167936]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-03-06 141848]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-03-06 166424]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-03-06 133656]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-03-21 174872]
"Broadcom Wireless Manager UI"=C:\Windows\system32\WLTRAY.exe [2008-05-18 3444736]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-13 29744]
"dscactivate"=C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe [2008-03-11 16384]
"PCMService"=C:\Program Files\Dell\MediaDirect\PCMService.exe [2007-12-21 184320]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"EverioService"=C:\Program Files\CyberLink\PCM4Everio\EverioService.exe [2007-11-01 151552]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-01-06 290088]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe [2007-09-13 405504]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-10-03 35696]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-09-04 935288]
"mcagent_exe"=C:\Program Files\McAfee.com\Agent\mcagent.exe [2009-10-29 1218008]
"McENUI"=C:\PROGRA~1\McAfee\MHN\McENUI.exe [2009-07-07 1176808]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"=C:\Program Files\Dell Support Center\bin\sprtcmd.exe [2009-05-21 206064]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-12-16 2002160]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
McAfee Security Scan.lnk - C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
QuickSet.lnk - C:\Program Files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-03-06 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\mcmscsvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0
"NoSetActiveDesktop"=0
"NoActiveDesktopChanges"=0
"NoFolderOptions"=0
"NoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=
"NoSetActiveDesktop"=
"NoActiveDesktopChanges"=
"NoFolderOptions"=
"NoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2009-12-20 09:41:13 ----D---- C:\Program Files\trend micro
2009-12-20 09:41:12 ----D---- C:\rsit
2009-12-20 08:43:16 ----SHD---- C:\$RECYCLE.BIN
2009-12-20 08:42:51 ----A---- C:\ComboFix.txt
2009-12-20 08:28:17 ----A---- C:\Windows\NIRCMD.exe
2009-12-20 08:28:17 ----A---- C:\Windows\MBR.exe
2009-12-20 08:28:14 ----A---- C:\Windows\zip.exe
2009-12-20 08:28:14 ----A---- C:\Windows\SWXCACLS.exe
2009-12-20 08:28:14 ----A---- C:\Windows\SWSC.exe
2009-12-20 08:28:14 ----A---- C:\Windows\SWREG.exe
2009-12-20 08:28:14 ----A---- C:\Windows\sed.exe
2009-12-20 08:28:14 ----A---- C:\Windows\PEV.exe
2009-12-20 08:28:14 ----A---- C:\Windows\grep.exe
2009-12-20 08:26:26 ----D---- C:\Windows\ERDNT
2009-12-20 08:25:55 ----D---- C:\Qoobox
2009-12-19 13:03:02 ----D---- C:\Program Files\ESET
2009-12-19 12:43:42 ----D---- C:\Users\scott\AppData\Roaming\Malwarebytes
2009-12-19 12:43:35 ----D---- C:\ProgramData\Malwarebytes
2009-12-19 12:43:34 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-19 11:17:36 ----D---- C:\Users\scott\AppData\Roaming\AVG8
2009-12-19 08:04:35 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-12-19 08:04:12 ----D---- C:\Users\scott\AppData\Roaming\SUPERAntiSpyware.com
2009-12-19 08:04:12 ----D---- C:\Program Files\SUPERAntiSpyware
2009-12-19 08:03:59 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-12-19 07:37:09 ----D---- C:\ProgramData\Spybot - Search & Destroy
2009-12-19 07:37:09 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-12-19 07:09:13 ----D---- C:\Users\scott\AppData\Roaming\McAfee
2009-12-11 08:46:31 ----RASH---- C:\Windows\system32\msdtclogk.dll
2009-12-11 08:37:24 ----N---- C:\Windows\system32\MpSigStub.exe
2009-12-11 08:11:56 ----D---- C:\Program Files\Common Files\McAfee
2009-12-11 08:11:55 ----D---- C:\Program Files\McAfee.com
2009-12-11 08:11:54 ----D---- C:\Program Files\McAfee
2009-12-08 20:00:06 ----A---- C:\Windows\system32\winhttp.dll
2009-12-08 19:59:55 ----A---- C:\Windows\system32\wininet.dll
2009-12-08 19:59:54 ----A---- C:\Windows\system32\urlmon.dll
2009-12-08 19:59:54 ----A---- C:\Windows\system32\mshtml.dll
2009-12-08 19:59:52 ----A---- C:\Windows\system32\ieframe.dll
2009-12-08 19:59:51 ----A---- C:\Windows\system32\ieui.dll
2009-12-08 19:59:51 ----A---- C:\Windows\system32\ieencode.dll
2009-12-08 19:59:49 ----A---- C:\Windows\system32\ieapfltr.dll
2009-12-08 19:59:36 ----A---- C:\Windows\system32\nshhttp.dll
2009-12-08 19:59:36 ----A---- C:\Windows\system32\httpapi.dll
2009-12-08 19:58:43 ----A---- C:\Windows\system32\rastls.dll
2009-11-24 22:22:54 ----A---- C:\Windows\system32\tzres.dll
2009-11-24 18:36:57 ----A---- C:\Windows\system32\msxml6.dll
2009-11-24 18:36:56 ----A---- C:\Windows\system32\msxml3.dll

======List of files/folders modified in the last 1 months======

2009-12-20 09:41:18 ----D---- C:\Windows\Temp
2009-12-20 09:41:13 ----RD---- C:\Program Files
2009-12-20 09:22:29 ----D---- C:\Windows\Debug
2009-12-20 09:22:29 ----D---- C:\Windows
2009-12-20 09:22:14 ----D---- C:\Program Files\CCleaner
2009-12-20 08:51:12 ----SHD---- C:\System Volume Information
2009-12-20 08:49:47 ----D---- C:\Windows\System32
2009-12-20 08:49:47 ----D---- C:\Windows\inf
2009-12-20 08:49:47 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-12-20 08:49:38 ----D---- C:\Windows\Logs
2009-12-20 08:39:38 ----A---- C:\Windows\system.ini
2009-12-20 08:34:09 ----D---- C:\Windows\system32\drivers
2009-12-20 08:34:09 ----D---- C:\Windows\AppPatch
2009-12-20 08:34:08 ----D---- C:\Program Files\Common Files
2009-12-20 08:25:51 ----D---- C:\Windows\Prefetch
2009-12-19 12:55:54 ----D---- C:\Windows\SoftwareDistribution
2009-12-19 12:53:51 ----D---- C:\Windows\Tasks
2009-12-19 12:43:35 ----D---- C:\ProgramData
2009-12-19 12:17:19 ----D---- C:\Program Files\Notebook Hardware Control
2009-12-19 11:12:15 ----D---- C:\Program Files\Mozilla Firefox
2009-12-19 08:04:16 ----SHD---- C:\Windows\Installer
2009-12-19 07:46:57 ----D---- C:\Windows\Microsoft.NET
2009-12-19 07:21:54 ----D---- C:\ProgramData\Citrix
2009-12-19 07:08:50 ----D---- C:\ProgramData\McAfee
2009-12-16 22:28:11 ----D---- C:\Windows\system32\catroot2
2009-12-12 07:34:49 ----D---- C:\Windows\system32\Tasks
2009-12-11 12:06:28 ----D---- C:\Windows\system32\catroot
2009-12-09 04:53:00 ----D---- C:\Windows\rescache
2009-12-08 22:21:27 ----D---- C:\Windows\winsxs
2009-12-08 22:09:44 ----D---- C:\Windows\system32\en-US
2009-12-08 22:09:44 ----D---- C:\Program Files\Windows Mail
2009-12-04 20:57:40 ----SD---- C:\Windows\Downloaded Program Files
2009-12-01 13:06:19 ----A---- C:\Windows\system32\mrt.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 mfehidk;McAfee Inc. mfehidk; C:\Windows\system32\drivers\mfehidk.sys [2009-11-04 214664]
R1 MPFP;MPFP; C:\Windows\System32\Drivers\Mpfp.sys [2009-07-16 130424]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2009-12-16 9968]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2009-12-16 74480]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-09-06 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-09-06 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-09-06 37376]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 ApfiltrService;Alps Touch Pad Filter Driver for Windows 2000/XP/Vista; C:\Windows\system32\DRIVERS\Apfiltr.sys [2008-05-04 164400]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2008-05-18 1044984]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-11-02 986624]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2006-11-02 206848]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-03-06 2016256]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service; C:\Windows\system32\drivers\IntcHdmi.sys [2008-03-06 111616]
R3 mfeavfk;McAfee Inc. mfeavfk; C:\Windows\system32\drivers\mfeavfk.sys [2009-11-04 79816]
R3 mfebopk;McAfee Inc. mfebopk; C:\Windows\system32\drivers\mfebopk.sys [2009-11-04 35272]
R3 mfesmfk;McAfee Inc. mfesmfk; C:\Windows\system32\drivers\mfesmfk.sys [2009-11-04 40552]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2009-12-16 7408]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-11-12 330240]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-11-02 659968]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x86.sys [2007-09-28 278528]
S3 BCM42RLY;BCM42RLY; C:\Windows\system32\drivers\BCM42RLY.sys []
S3 catchme;catchme; \??\C:\Users\scott\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-20 220672]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 mferkdk;McAfee Inc. mferkdk; C:\Windows\system32\drivers\mferkdk.sys [2009-11-04 34248]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 nhcDriverDevice;Notebook Hardware Control Driver; \??\C:\Windows\system32\drivers\nhcDriver.sys [2009-12-19 22528]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AESTFilters;Andrea ST Filters Service; C:\Windows\system32\aestsrv.exe [2007-09-20 73728]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 DockLoginService;Dock Login Service; C:\Program Files\Dell\DellDock\DockLogin.exe [2008-04-28 161048]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-03-21 355096]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-02-11 210216]
R2 mcmscsvc;McAfee Services; C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe [2009-10-29 865832]
R2 McNASvc;McAfee Network Agent; c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe [2009-07-07 2482848]
R2 McProxy;McAfee Proxy Service; c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe [2009-07-08 359952]
R2 McShield;McAfee Real-time Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe [2009-11-04 144704]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 MpfService;McAfee Personal Firewall Service; C:\Program Files\McAfee\MPF\MPFSrv.exe [2009-10-27 895696]
R2 MSK80Service;McAfee Anti-Spam Service; C:\Program Files\McAfee\MSK\MskSrver.exe [2009-10-02 26640]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2006-12-19 272024]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter); C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2008-08-14 201968]
R2 STacSV;SigmaTel Audio Service; C:\Windows\system32\STacSV.exe [2007-09-13 102400]
R2 wltrysvc;Dell Wireless WLAN Tray Service; C:\Windows\System32\WLTRYSVC.EXE [2008-05-18 24064]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
R3 McSysmon;McAfee SystemGuards; C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe [2009-11-04 606736]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 GoogleDesktopManager-010708-104812;Google Desktop Manager 5.7.801.7324; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-13 29744]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-29 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 McODS;McAfee Scanner; C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe [2009-10-28 365072]
S3 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2006-12-14 45056]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2006-12-14 57344]
S3 SonicStage Back-End Service;SonicStage Back-End Service; C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe [2007-02-05 112184]
S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2006-12-14 69632]
S3 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2007-02-05 75320]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2008-03-24 74384]

-----------------EOF-----------------


Report •

Related Solutions

#4
December 20, 2009 at 08:42:26
Here's info.txt

info.txt logfile of random's system information tool 1.06 2009-12-20 09:41:24

======Uninstall list======

-->Dummy
Acrobat.com-->msiexec /qb /x {6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Acrobat.com-->MsiExec.exe /I{6D8D64BE-F500-55B6-705D-DFD08AFE0624}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A92000000001}
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Banctec Service Agreement-->MsiExec.exe /I{42D68A86-DB1C-4256-B8C9-5D0D92919AF5}
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Browser Address Error Redirector-->MsiExec.exe /I{62230596-37E5-4618-A329-0D21F529A86F}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Cisco EAP-FAST Module-->MsiExec.exe /I{BF53252E-4AB2-4C7F-A0FD-6100755745E3}
Cisco LEAP Module-->MsiExec.exe /I{76F9CF97-FC4B-4E20-B363-D127C888448F}
Cisco PEAP Module-->MsiExec.exe /I{4E5386F5-C0F6-4532-A54A-374865AEAB71}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HDA D330 MDC V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F\HXFSETUP.EXE -U -Idel000fz.inf
Dell Best of Web-->MsiExec.exe /I{C39A4E1F-9AF1-4FE1-A80E-A5B867FABB42}
Dell DataSafe Online-->MsiExec.exe /I{4D3C9F4B-4B7D-4E5D-99B9-0123AB0D51ED}
Dell Dock-->MsiExec.exe /I{F6CB42B9-F033-4152-8813-FF11DA8E6A78}
Dell Getting Started Guide-->MsiExec.exe /I{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}
Dell Support Center (Support Software)-->MsiExec.exe /X{E3BFEE55-39E2-4BE0-B966-89FE583822C1}
Dell Touchpad-->C:\Program Files\DellTPad\Uninstap.exe ADDREMOVE
Dell Wireless WLAN Card-->"C:\Program Files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe" verbose /rootkey="Software\Broadcom\802.11\UninstallInfo" /rootdir="C:\Program Files\Dell\Dell Wireless WLAN Card"
Dell-eBay-->MsiExec.exe /I{B935C985-A17F-484B-8470-09E4FC27DC26}
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
Digital Photo Navigator 1.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CF9CD37C-E29A-11D5-AE3D-005004B8E30C}\setup.EXE" -l0x9
EDocs-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}\setup.exe"
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0E996B068B56FCA2.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel(R) Matrix Storage Manager-->C:\Windows\System32\Imsmudlg.exe
iTunes-->MsiExec.exe /I{F5C63795-2708-4D15-BF18-5ABBFF7DFFC8}
Java(TM) 6 Update 5-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
McAfee Security Scan-->"C:\Program Files\McAfee Security Scan\uninstall.exe"
McAfee SecurityCenter-->C:\Program Files\McAfee\MSC\mcuninst.exe
McAfee Virtual Technician-->MsiExec.exe /I{49FA793C-785E-47E9-93DF-BD442B0B45D1}
MediaDirect-->C:\Program Files\InstallShield Installation Information\{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}\setup.exe -runfromtemp -l0x0009 -cluninstall
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Word 2003-->MsiExec.exe /I{901B0409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (3.5.6)-->c:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
Notebook Hardware Control 2.0 Pre-Release-06 Bugfix-->C:\Program Files\Notebook Hardware Control\uninst.exe
OpenMG Limited Patch 4.7-07-14-05-01-->C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.7-07-14-05-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.7.00-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{CCD663AE-610D-4BDF-AAB0-E914B044527D} UNINSTALL
OutlookAddinSetup-->MsiExec.exe /I{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}
PowerCinema NE for Everio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39CEE1F2-12B6-4C50-9131-04BFCA110578}\setup.exe" -uninstall
PowerDirector Express-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDE721EC-870A-11D8-9D75-000129760D75}\setup.exe" -uninstall
PowerProducer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickSet-->MsiExec.exe /I{4B6AD248-D3BF-426A-8D64-847288154F13}
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
Roxio Creator Audio-->MsiExec.exe /I{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}
Roxio Creator Copy-->MsiExec.exe /I{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}
Roxio Creator Data-->MsiExec.exe /I{08E81ABD-79F7-49C2-881F-FD6CB0975693}
Roxio Creator DE-->C:\ProgramData\Uninstall\{09760D42-E223-42AD-8C3E-55B47D0DDAC3}\setup.exe /x {09760D42-E223-42AD-8C3E-55B47D0DDAC3}
Roxio Creator DE-->MsiExec.exe /I{ED439A64-F018-4DD4-8BA5-328D85AB09AB}
Roxio Creator Tools-->MsiExec.exe /I{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
SonicStage 4.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TaxCut Arizona 2008-->MsiExec.exe /X{C9158633-1A68-43E5-81F9-AFB2482DEACF}
TaxCut Premium + State + Efile 2008-->MsiExec.exe /X{BBB33AD6-BCF7-4002-B6A0-6DC679AE5C18}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Yahoo! Install Manager-->C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe

======Hosts File======

127.0.0.1 localhost

======Security center information======

AS: Windows Defender
AS: SUPERAntiSpyware

=====Application event log=====

Computer Name: scott-PC
Event Code: 1015
Message: Failed to connect to server. Error: 0x800401F0
Record Number: 488
Source Name: MsiInstaller
Time Written: 20081002192359.000000-000
Event Type: Warning
User: scott-PC\scott

Computer Name: scott-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 473
Source Name: Microsoft-Windows-WMI
Time Written: 20081002190757.000000-000
Event Type: Error
User:

Computer Name: scott-PC
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 439
Source Name: Microsoft-Windows-WMI
Time Written: 20081002185010.000000-000
Event Type: Error
User:

Computer Name: scott-PC
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 422
Source Name: Microsoft-Windows-Search
Time Written: 20081002184913.000000-000
Event Type: Warning
User:

Computer Name: scott-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-1311262568-1303121344-4212267574-1001:
Process 560 (\Device\HarddiskVolume3\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1311262568-1303121344-4212267574-1001

Record Number: 412
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20081002184634.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: scott-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 20781
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090515182833.155574-000
Event Type: Audit Success
User:

Computer Name: scott-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: SCOTT-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x26c
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 20780
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090515182833.155574-000
Event Type: Audit Success
User:

Computer Name: scott-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: SCOTT-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x26c
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 20779
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090515182833.155574-000
Event Type: Audit Success
User:

Computer Name: scott-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-21-1311262568-1303121344-4212267574-1001
Account Name: scott
Account Domain: scott-PC
Logon ID: 0x2c1dd

Privileges: SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 20778
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090515182830.909174-000
Event Type: Audit Success
User:

Computer Name: scott-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: SCOTT-PC$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 2

New Logon:
Security ID: S-1-5-21-1311262568-1303121344-4212267574-1001
Account Name: scott
Account Domain: scott-PC
Logon ID: 0x2c23c
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x28c
Process Name: C:\Windows\System32\winlogon.exe

Network Information:
Workstation Name: SCOTT-PC
Source Network Address: 127.0.0.1
Source Port: 0

Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 20777
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090515182830.909174-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Common Files\Roxio Shared\10.0\DLLShared;C:\Program Files\QuickTime\QTSystem
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 22 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=1601
"NUMBER_OF_PROCESSORS"=1
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\10.0\Roxio Central36\
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip

-----------------EOF-----------------


Report •

#5
December 20, 2009 at 09:28:23
Forget this message.....I was able to piecemeal the gmer.log file....


I am not able to post the gmer.log

I keep getting a blank screen when attempting to submit the follow up.

Is the file too big?

btw, I got the blue screen of death when saving it.


Report •

#6
December 20, 2009 at 09:35:57
Here's gmer.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-20 10:22:38
Windows 6.0.6002 Service Pack 2
Running: lnxtt4ru.exe; Driver: C:\Users\scott\AppData\Local\Temp\fglcypow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8C5490B0]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x8C5CA79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x8C5CA738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x8C5CA74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8C5CA7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x8C5CA81F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x8C5CA710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x8C5CA724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8C5CA7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x8C5CA847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x8C5CA833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x8C5CA78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8C5CA776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8C5CA80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8C5CA7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x8C5CA7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x8C5CA762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess


Report •

#7
December 20, 2009 at 09:36:50
---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82235982 5 Bytes JMP 8C5CA7CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text ntkrnlpa.exe!KeSetEvent + 621 822B6D64 4 Bytes [B0, 90, 54, 8C]
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 823C95B5 5 Bytes JMP 8C5CA823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 823D3B82 5 Bytes JMP 8C5CA766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 823FAD5D 5 Bytes JMP 8C5CA80F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8241A446 7 Bytes JMP 8C5CA7E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8241A709 5 Bytes JMP 8C5CA7F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 8241E474 5 Bytes JMP 8C5CA77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82423E7D 7 Bytes JMP 8C5CA7B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8242609A 5 Bytes JMP 8C5CA728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 8242AB48 5 Bytes JMP 8C5CA714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8244BD59 5 Bytes JMP 8C5CA7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8245C7B2 5 Bytes JMP 8C5CA837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8245D9B6 5 Bytes JMP 8C5CA84B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 8249B74B 5 Bytes JMP 8C5CA73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 8249B796 7 Bytes JMP 8C5CA750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 8249C253 5 Bytes JMP 8C5CA78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)


Report •

#8
December 20, 2009 at 09:38:14
---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[516] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[516] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\services.exe[636] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 0006008C
.text C:\Windows\system32\services.exe[636] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 00060071
.text C:\Windows\system32\services.exe[636] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 000600C2
.text C:\Windows\system32\services.exe[636] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 00060F21
.text C:\Windows\system32\services.exe[636] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00060F61
.text C:\Windows\system32\services.exe[636] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 00060FB9
.text C:\Windows\system32\services.exe[636] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 0006000A
.text C:\Windows\system32\services.exe[636] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 00060060
.text C:\Windows\system32\services.exe[636] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00060F72
.text C:\Windows\system32\services.exe[636] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00060F83
.text C:\Windows\system32\services.exe[636] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 0006002F
.text C:\Windows\system32\services.exe[636] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00060FA8
.text C:\Windows\system32\services.exe[636] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00060F46
.text C:\Windows\system32\services.exe[636] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 00060F10
.text C:\Windows\system32\services.exe[636] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 00060FCA
.text C:\Windows\system32\services.exe[636] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00060FE5
.text C:\Windows\system32\services.exe[636] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 000600A7
.text C:\Windows\system32\services.exe[636] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 001A0FD4
.text C:\Windows\system32\services.exe[636] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 001A0051
.text C:\Windows\system32\services.exe[636] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 001A0000
.text C:\Windows\system32\services.exe[636] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 001A0076
.text C:\Windows\system32\services.exe[636] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 001A0091
.text C:\Windows\system32\services.exe[636] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 001A0036
.text C:\Windows\system32\services.exe[636] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 001A0025
.text C:\Windows\system32\services.exe[636] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\services.exe[636] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 0019003B
.text C:\Windows\system32\services.exe[636] msvcrt.dll!system 76FA804B 5 Bytes JMP 00190FB0
.text C:\Windows\system32\services.exe[636] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00190FD2
.text C:\Windows\system32\services.exe[636] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00190FEF
.text C:\Windows\system32\services.exe[636] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00190FC1
.text C:\Windows\system32\services.exe[636] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 00190000
.text C:\Windows\system32\services.exe[636] WS2_32.dll!socket 761436D1 5 Bytes JMP 0018000A
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 0006007A
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 00060069
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 0006009C
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 0006008B
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00060036
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 00060FD4
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00060FAF
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 00060058
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00060025
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00060F79
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00060F68
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00060F9E
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00060047
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 000600AD
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 0006000A
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00060FEF
.text C:\Windows\system32\lsass.exe[652] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 00060F19
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 00870FCA
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00870062
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00870000
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00870FDB
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00870091
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 0087002C
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00870011
.text C:\Windows\system32\lsass.exe[652] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00870047
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00080053
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!system 76FA804B 5 Bytes JMP 00080038
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00080016
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00080FE3
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00080027
.text C:\Windows\system32\lsass.exe[652] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 00080FD2
.text C:\Windows\system32\lsass.exe[652] WS2_32.dll!socket 761436D1 5 Bytes JMP 00070FEF
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 001D00C6
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 001D00AB
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 001D00F2
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 001D00E1
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 001D0F8A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 001D0025
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 001D0036
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 001D0090
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 001D006E
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 001D0FC0
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 001D0FA5
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 001D0047
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 001D007F
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 001D010D
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 001D000A
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 001D0FEF
.text C:\Windows\system32\svchost.exe[816] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 001D0F5B
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 001F006E
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!system 76FA804B 5 Bytes JMP 001F0053
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 001F0027
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_open 76FAD106 5 Bytes JMP 001F0FE3
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 001F0038
.text C:\Windows\system32\svchost.exe[816] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 001F000C
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 00200051
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00200036
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00200FE5
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00200FAF
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00200F94
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00200FCA
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00200000
.text C:\Windows\system32\svchost.exe[816] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 0020001B
.text C:\Windows\system32\svchost.exe[816] WS2_32.dll!socket 761436D1 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 00140F29
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 0014006F
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 0014008A
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 00140EF3
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00140F5F
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 0014001B
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00140FCA
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 00140F4E
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00140F7A
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00140FA8
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00140F97
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00140FB9
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 0014005E
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 00140ED8
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 0014000A
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00140FEF
.text C:\Windows\system32\svchost.exe[880] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 00140F0E
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 001E002C
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!system 76FA804B 5 Bytes JMP 001E001B
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 001E0FC6
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_open 76FAD106 5 Bytes JMP 001E0000
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 001E0FB5
.text C:\Windows\system32\svchost.exe[880] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 001E0FD7
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 001F0051
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 001F0036
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 001F0FE5
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 001F0FAF
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 001F0F94
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 001F0FC0
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 001F0000
.text C:\Windows\system32\svchost.exe[880] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 001F0011
.text C:\Windows\system32\svchost.exe[880] WS2_32.dll!socket 761436D1 5 Bytes JMP 0015000A
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 000E00A1
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 000E0090
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 000E00C3
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 000E0F36
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 000E006E
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 000E0011
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 000E0FC0
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 000E0F65
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 000E0047
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 000E0036
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 000E0F94
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 000E0FA5
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 000E007F
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 000E0F11
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 000E0000
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 000E0FE5
.text C:\Windows\System32\svchost.exe[912] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 000E00B2
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00670FB9
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!system 76FA804B 5 Bytes JMP 0067004E
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00670FEF
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00670000
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00670FDE
.text C:\Windows\System32\svchost.exe[912] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 0067001D
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 00680FC0
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00680FDB
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 0068000A
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00680062
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 0068007D
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00680036
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00680025
.text C:\Windows\System32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00680047
.text C:\Windows\System32\svchost.exe[912] WS2_32.dll!socket 761436D1 5 Bytes JMP 00660FEF
.text C:\Windows\System32\svchost.exe[912] wininet.dll!InternetOpenA 75FCD47D 5 Bytes JMP 00690FEF
.text C:\Windows\System32\svchost.exe[912] wininet.dll!InternetOpenW 75FCD7DA 5 Bytes JMP 00690FD4
.text C:\Windows\System32\svchost.exe[912] wininet.dll!InternetOpenUrlA 75FCFE4B 5 Bytes JMP 0069000A
.text C:\Windows\System32\svchost.exe[912] wininet.dll!InternetOpenUrlW 76019139 5 Bytes JMP 00690FAF
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 001E0098
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 001E0087
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 001E00B3
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 001E0F1C
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 001E0F70
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 001E0FD4
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 001E0025
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 001E0076
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 001E0F8D
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 001E0040
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 001E0F9E
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 001E0FB9
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 001E0065
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 001E00CE
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 001E0FE5
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 001E000A
.text C:\Windows\System32\svchost.exe[996] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 001E0F2D
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00690047
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!system 76FA804B 5 Bytes JMP 00690FB2
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 0069001B
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00690000
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 0069002C
.text C:\Windows\System32\svchost.exe[996] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 00690FD7
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 0089006C
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00890FCA
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 0089000A
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00890051
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 0089007D
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00890036
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 0089001B
.text C:\Windows\System32\svchost.exe[996] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00890FE5
.text C:\Windows\System32\svchost.exe[996] WS2_32.dll!socket 761436D1 5 Bytes JMP 00680000
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 00D60F4A
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 00D6009A
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 00D60F1E
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 00D600AB
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00D60F8A
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 00D6001B
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00D60FC0
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 00D60089
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00D60062
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00D60FA5
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00D60051
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00D6002C
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00D60F79
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 00D600D0
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 00D60FE5
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00D60000
.text C:\Windows\System32\svchost.exe[1076] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 00D60F2F
.text C:\Windows\System32\svchost.exe[1076] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00DE0FB2
.text C:\Windows\System32\svchost.exe[1076] msvcrt.dll!system 76FA804B 5 Bytes JMP 00DE0FC3
.text C:\Windows\System32\svchost.exe[1076] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00DE0FEF
.text C:\Windows\System32\svchost.exe[1076] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00DE000C
.text C:\Windows\System32\svchost.exe[1076] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00DE0FD4
.text C:\Windows\System32\svchost.exe[1076] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 00DE0029
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 00DF004A
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00DF0FBC
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00DF0000
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00DF0039
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00DF0065
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00DF0FDE
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00DF0FEF
.text C:\Windows\System32\svchost.exe[1076] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00DF0FCD
.text C:\Windows\System32\svchost.exe[1076] WS2_32.dll!socket 761436D1 5 Bytes JMP 00DD0000
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 005000AF
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 0050009E
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 00500F22
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 00500F3D
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00500F95
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 00500FCD
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00500014
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 00500F69
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 0050006F
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00500043
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00500054
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00500FB2
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00500F84
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 00500F11
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 00500FDE
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00500FEF
.text C:\Windows\system32\svchost.exe[1092] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 00500F4E
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00580078
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!system 76FA804B 5 Bytes JMP 00580053
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00580038
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00580000
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00580FE3
.text C:\Windows\system32\svchost.exe[1092] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 0058001D
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 00CE0047
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00CE0FAF
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00CE0000
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00CE0036
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00CE0062
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00CE0FE5
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00CE001B
.text C:\Windows\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00CE0FC0
.text C:\Windows\system32\svchost.exe[1092] WS2_32.dll!socket 761436D1 5 Bytes JMP 00570000
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenA 75FCD47D 5 Bytes JMP 016C0FEF
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenW 75FCD7DA 1 Byte [E9]


Report •

#9
December 20, 2009 at 09:39:12
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenW 75FCD7DA 5 Bytes JMP 016C0FDE
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlA 75FCFE4B 5 Bytes JMP 016C001E
.text C:\Windows\system32\svchost.exe[1092] WININET.dll!InternetOpenUrlW 76019139 5 Bytes JMP 016C0FC3
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 004E0091
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 004E0F4B
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 004E0F0B
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 004E0F1C
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 004E0F77
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 004E0FCD
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 004E001E
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 004E0076
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 004E0F88
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 004E0040
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 004E0051
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 004E002F
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 004E0F66
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 004E00BD
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 004E0FDE
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 004E0FEF
.text C:\Windows\system32\svchost.exe[1244] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 004E00A2
.text C:\Windows\system32\svchost.exe[1244] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00510FB2
.text C:\Windows\system32\svchost.exe[1244] msvcrt.dll!system 76FA804B 5 Bytes JMP 00510FC3
.text C:\Windows\system32\svchost.exe[1244] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00510033
.text C:\Windows\system32\svchost.exe[1244] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00510FEF
.text C:\Windows\system32\svchost.exe[1244] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00510FD4
.text C:\Windows\system32\svchost.exe[1244] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 0051000C
.text C:\Windows\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 0052002C
.text C:\Windows\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00520F9B
.text C:\Windows\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00520FE5
.text C:\Windows\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00520F8A
.text C:\Windows\system32\svchost.exe[1244] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00520F6F
.text C:\Windows\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00520000
.text C:\Windows\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00520FCA
.text C:\Windows\system32\svchost.exe[1244] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00520011
.text C:\Windows\system32\svchost.exe[1244] WS2_32.dll!socket 761436D1 5 Bytes JMP 00500FEF
.text C:\Windows\system32\svchost.exe[1244] WinInet.dll!InternetOpenA 75FCD47D 5 Bytes JMP 004F0FE5
.text C:\Windows\system32\svchost.exe[1244] WinInet.dll!InternetOpenW 75FCD7DA 5 Bytes JMP 004F000A
.text C:\Windows\system32\svchost.exe[1244] WinInet.dll!InternetOpenUrlA 75FCFE4B 5 Bytes JMP 004F0FD4
.text C:\Windows\system32\svchost.exe[1244] WinInet.dll!InternetOpenUrlW 76019139 5 Bytes JMP 004F0FB9
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 00100F4B
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 00100F66
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 00100F15
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 001000AC
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00100076
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 00100FD4
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00100FB9
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 00100F77
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00100065
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00100FA8
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00100054
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00100025
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00100087
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 00100F04
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 0010000A
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00100FE5
.text C:\Windows\system32\svchost.exe[1376] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 00100F26
.text C:\Windows\system32\svchost.exe[1376] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00850FA3
.text C:\Windows\system32\svchost.exe[1376] msvcrt.dll!system 76FA804B 5 Bytes JMP 00850FBE
.text C:\Windows\system32\svchost.exe[1376] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00850FE3
.text C:\Windows\system32\svchost.exe[1376] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00850000
.text C:\Windows\system32\svchost.exe[1376] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 0085002E
.text C:\Windows\system32\svchost.exe[1376] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 0085001D
.text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 00860FB6
.text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 0086003D
.text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 0086000A
.text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00860058
.text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00860F91
.text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 0086002C
.text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 0086001B
.text C:\Windows\system32\svchost.exe[1376] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00860FD1
.text C:\Windows\system32\svchost.exe[1376] WS2_32.dll!socket 761436D1 5 Bytes JMP 00840FEF
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 01480F26
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 01480F37
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 014800A5
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 01480F04
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 01480F5C
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 01480FD4
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 0148001B
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 01480062
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 01480036
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 01480F94
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 01480F79
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 01480FAF
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 01480051
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 014800B6
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 0148000A
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 01480FE5
.text C:\Windows\system32\svchost.exe[1656] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 01480F15
.text C:\Windows\system32\svchost.exe[1656] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 014E0036
.text C:\Windows\system32\svchost.exe[1656] msvcrt.dll!system 76FA804B 5 Bytes JMP 014E001B
.text C:\Windows\system32\svchost.exe[1656] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 014E0000
.text C:\Windows\system32\svchost.exe[1656] msvcrt.dll!_open 76FAD106 5 Bytes JMP 014E0FE3
.text C:\Windows\system32\svchost.exe[1656] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 014E0FB5
.text C:\Windows\system32\svchost.exe[1656] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 014E0FD2
.text C:\Windows\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 014F005B
.text C:\Windows\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 014F002F
.text C:\Windows\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 014F0FEF
.text C:\Windows\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 014F004A
.text C:\Windows\system32\svchost.exe[1656] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 014F0F9E
.text C:\Windows\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 014F000A
.text C:\Windows\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 014F0FD4
.text C:\Windows\system32\svchost.exe[1656] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 014F0FC3
.text C:\Windows\system32\svchost.exe[1656] WS2_32.dll!socket 761436D1 5 Bytes JMP 01490FEF
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 00070F5C
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 00070F77
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 00070F37
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 000700CE
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 0007007D
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 0007001B
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00070FD4
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 00070F88
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 0007006C
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 0007004A
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 0007005B
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00070FB9
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00070098
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 00070F26
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 00070FEF
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00070000
.text C:\Windows\system32\svchost.exe[2092] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 000700B3
.text C:\Windows\system32\svchost.exe[2092] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 001D0FAD
.text C:\Windows\system32\svchost.exe[2092] msvcrt.dll!system 76FA804B 5 Bytes JMP 001D0038
.text C:\Windows\system32\svchost.exe[2092] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 001D0FD2
.text C:\Windows\system32\svchost.exe[2092] msvcrt.dll!_open 76FAD106 5 Bytes JMP 001D0FE3
.text C:\Windows\system32\svchost.exe[2092] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 001D0027
.text C:\Windows\system32\svchost.exe[2092] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 001D0000
.text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 001E0025
.text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 001E0F83
.text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 001E0FEF
.text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 001E0F68
.text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 001E0FAF
.text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 001E0FCA
.text C:\Windows\system32\svchost.exe[2092] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 001E0F9E
.text C:\Windows\system32\svchost.exe[2092] WS2_32.dll!socket 761436D1 5 Bytes JMP 001B0000
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 000100A6
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 0001008B
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 00010F19
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 00010F34
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00010058
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 00010FC3
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00010014
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 0001007A
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00010047
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00010F94
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00010036
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00010025
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00010069
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 000100CB
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 00010FDE
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00010FEF
.text C:\Windows\Explorer.EXE[2448] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 00010F4F
.text C:\Windows\Explorer.EXE[2448] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 00050F9B
.text C:\Windows\Explorer.EXE[2448] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00050033
.text C:\Windows\Explorer.EXE[2448] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00050000
.text C:\Windows\Explorer.EXE[2448] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00050FAC
.text C:\Windows\Explorer.EXE[2448] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00050F80
.text C:\Windows\Explorer.EXE[2448] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00050011
.text C:\Windows\Explorer.EXE[2448] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00050FE5
.text C:\Windows\Explorer.EXE[2448] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00050022
.text C:\Windows\Explorer.EXE[2448] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00060FA6
.text C:\Windows\Explorer.EXE[2448] msvcrt.dll!system 76FA804B 5 Bytes JMP 00060FB7
.text C:\Windows\Explorer.EXE[2448] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00060FD2
.text C:\Windows\Explorer.EXE[2448] msvcrt.dll!_open 76FAD106 5 Bytes JMP 0006000C
.text C:\Windows\Explorer.EXE[2448] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 0006001D
.text C:\Windows\Explorer.EXE[2448] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 00060FEF
.text C:\Windows\Explorer.EXE[2448] WS2_32.dll!socket 761436D1 5 Bytes JMP 030E0FEF
.text C:\Windows\Explorer.EXE[2448] WININET.dll!InternetOpenA 75FCD47D 5 Bytes JMP 032A0FE5
.text C:\Windows\Explorer.EXE[2448] WININET.dll!InternetOpenW 75FCD7DA 5 Bytes JMP 032A0FD4
.text C:\Windows\Explorer.EXE[2448] WININET.dll!InternetOpenUrlA 75FCFE4B 5 Bytes JMP 032A0FAF
.text C:\Windows\Explorer.EXE[2448] WININET.dll!InternetOpenUrlW 76019139 5 Bytes JMP 032A0000
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 00010F3A
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 00010F4B
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 00010F0E
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 00010F29
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00010F7E
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 00010000
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 0001001B
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 00010F5C
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00010062
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00010036
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00010051
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00010FA5
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00010F6D
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 00010EF3
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 00010FD4
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00010FEF
.text C:\Windows\system32\svchost.exe[2608] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 000100A5
.text C:\Windows\system32\svchost.exe[2608] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00050F92
.text C:\Windows\system32\svchost.exe[2608] msvcrt.dll!system 76FA804B 5 Bytes JMP 0005001D
.text C:\Windows\system32\svchost.exe[2608] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00050FC8
.text C:\Windows\system32\svchost.exe[2608] msvcrt.dll!_open 76FAD106 5 Bytes JMP 0005000C
.text C:\Windows\system32\svchost.exe[2608] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00050FAD
.text C:\Windows\system32\svchost.exe[2608] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 00050FE3
.text C:\Windows\system32\svchost.exe[2608] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 0006006C
.text C:\Windows\system32\svchost.exe[2608] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00060FD4
.text C:\Windows\system32\svchost.exe[2608] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00060000
.text C:\Windows\system32\svchost.exe[2608] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 0006005B
.text C:\Windows\system32\svchost.exe[2608] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 0006007D
.text C:\Windows\system32\svchost.exe[2608] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00060025
.text C:\Windows\system32\svchost.exe[2608] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00060FEF
.text C:\Windows\system32\svchost.exe[2608] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00060036
.text C:\Windows\system32\svchost.exe[2608] WS2_32.dll!socket 761436D1 5 Bytes JMP 002D0FEF
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 000100FA
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 000100DF
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 00010130
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 00010F8F
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 000100A2
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 00010025
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00010FD4
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 000100CE
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00010091
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00010065
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00010076
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00010040
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 000100B3
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 00010141
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 00010014
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00010FEF
.text C:\Windows\System32\svchost.exe[2644] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 0001010B
.text C:\Windows\System32\svchost.exe[2644] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00050042
.text C:\Windows\System32\svchost.exe[2644] msvcrt.dll!system 76FA804B 5 Bytes JMP 00050FB7
.text C:\Windows\System32\svchost.exe[2644] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00050FD2
.text C:\Windows\System32\svchost.exe[2644] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[2644] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00050027
.text C:\Windows\System32\svchost.exe[2644] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 0005000C
.text C:\Windows\System32\svchost.exe[2644] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 00060F94
.text C:\Windows\System32\svchost.exe[2644] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00060FCA
.text C:\Windows\System32\svchost.exe[2644] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[2644] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00060FAF
.text C:\Windows\System32\svchost.exe[2644] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00060F83
.text C:\Windows\System32\svchost.exe[2644] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00060FE5
.text C:\Windows\System32\svchost.exe[2644] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00060011
.text C:\Windows\System32\svchost.exe[2644] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00060036
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] ntdll.dll!NtQueryInformationProcess 773D4E54 5 Bytes JMP 01EC0A8E
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] WS2_32.dll!closesocket 7614330C 5 Bytes JMP 01EB7C46
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] WS2_32.dll!recv 7614343A 5 Bytes JMP 01EB7A06
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] WS2_32.dll!WSASend 76144496 5 Bytes JMP 01EB7AAA
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] WS2_32.dll!send 7614659B 5 Bytes JMP 01EB7966
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] WS2_32.dll!WSARecv 76148400 5 Bytes JMP 01EB7B65
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] USER32.dll!DrawTextExW 775491CE 5 Bytes JMP 01EB8103
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] USER32.dll!DrawTextW 775497D3 5 Bytes JMP 01EB7F41
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] USER32.dll!DrawTextA 7755558D 5 Bytes JMP 01EB7E66
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] USER32.dll!DrawTextExA 775555C4 5 Bytes JMP 01EB801C
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] GDI32.dll!ExtTextOutW 75CF872B 5 Bytes JMP 01EB82CE
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] GDI32.dll!GetGlyphIndicesW 75CFB765 5 Bytes JMP 01EB874A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] GDI32.dll!ExtTextOutA 75D000A5 5 Bytes JMP 01EB81EA
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] GDI32.dll!TextOutA 75D00BAB 5 Bytes JMP 01EB7CCE
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] GDI32.dll!TextOutW 75D00D6D 5 Bytes JMP 01EB7D9A
.text C:\Program Files\Mozilla Firefox\firefox.exe[4548] GDI32.dll!GetGlyphIndicesA 75D19DC0 5 Bytes JMP 01EB8681
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 00010F52
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 00010F63
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 000100BD
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 00010F1C
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00010F74
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 00010FDB
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00010036
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 0001008E
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00010F9B
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00010058
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00010FAC
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00010047
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00010069
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 000100CE
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 00010011
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00010000
.text C:\Windows\system32\svchost.exe[4704] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 00010F2D
.text C:\Windows\system32\svchost.exe[4704] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00050F9E
.text C:\Windows\system32\svchost.exe[4704] msvcrt.dll!system 76FA804B 5 Bytes JMP 00050FB9
.text C:\Windows\system32\svchost.exe[4704] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00050FDE
.text C:\Windows\system32\svchost.exe[4704] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00050FEF
.text C:\Windows\system32\svchost.exe[4704] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00050029
.text C:\Windows\system32\svchost.exe[4704] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 00050018
.text C:\Windows\system32\svchost.exe[4704] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 00060F8A
.text C:\Windows\system32\svchost.exe[4704] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 0006002C
.text C:\Windows\system32\svchost.exe[4704] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00060FE5
.text C:\Windows\system32\svchost.exe[4704] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 00060FA5
.text C:\Windows\system32\svchost.exe[4704] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00060047
.text C:\Windows\system32\svchost.exe[4704] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 00060FCA
.text C:\Windows\system32\svchost.exe[4704] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00060000
.text C:\Windows\system32\svchost.exe[4704] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 0006001B
.text C:\Windows\system32\svchost.exe[4704] WS2_32.dll!socket 761436D1 5 Bytes JMP 005B0000
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!GetStartupInfoW 75D41929 5 Bytes JMP 000100A7
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!GetStartupInfoA 75D419C9 5 Bytes JMP 00010F57
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!CreateProcessW 75D41BF3 5 Bytes JMP 000100D3
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!CreateProcessA 75D41C28 5 Bytes JMP 000100B8
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!VirtualProtect 75D41DC3 5 Bytes JMP 00010071
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!CreateNamedPipeA 75D42EF5 5 Bytes JMP 0001001B
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!CreateNamedPipeW 75D45C0C 5 Bytes JMP 00010FCA
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!CreatePipe 75D68E6E 1 Byte [E9]

Report •

#10
December 20, 2009 at 09:39:32
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!CreatePipe 75D68E6E 5 Bytes JMP 00010F72
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!LoadLibraryExW 75D69109 5 Bytes JMP 00010054
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!LoadLibraryW 75D69362 5 Bytes JMP 00010FA8
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!LoadLibraryExA 75D694B4 5 Bytes JMP 00010F97
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!LoadLibraryA 75D694DC 5 Bytes JMP 00010FB9
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!VirtualProtectEx 75D6DBDA 5 Bytes JMP 00010082
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!GetProcAddress 75D8903B 5 Bytes JMP 000100F8
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!CreateFileW 75D8AECB 5 Bytes JMP 0001000A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!CreateFileA 75D8CE5F 5 Bytes JMP 00010FEF
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] kernel32.dll!WinExec 75DD5CF7 5 Bytes JMP 00010F3C
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] ADVAPI32.dll!RegCreateKeyExA 771F39AB 5 Bytes JMP 0016004A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] ADVAPI32.dll!RegCreateKeyA 771F3BA9 5 Bytes JMP 00160FA8
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] ADVAPI32.dll!RegOpenKeyA 771F89C7 5 Bytes JMP 00160FEF
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] ADVAPI32.dll!RegCreateKeyW 7720391E 5 Bytes JMP 0016002F
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] ADVAPI32.dll!RegCreateKeyExW 772041F1 5 Bytes JMP 00160065
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] ADVAPI32.dll!RegOpenKeyExA 77207C42 5 Bytes JMP 0016000A
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] ADVAPI32.dll!RegOpenKeyW 7720E2B5 5 Bytes JMP 00160FD4
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] ADVAPI32.dll!RegOpenKeyExW 77217BA1 5 Bytes JMP 00160FB9
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] msvcrt.dll!_wsystem 76FA7F2F 5 Bytes JMP 00170FB2
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] msvcrt.dll!system 76FA804B 5 Bytes JMP 00170033
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] msvcrt.dll!_creat 76FABBE1 5 Bytes JMP 00170FD4
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] msvcrt.dll!_open 76FAD106 5 Bytes JMP 00170000
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] msvcrt.dll!_wcreat 76FAD326 5 Bytes JMP 00170FC3
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] msvcrt.dll!_wopen 76FAD501 5 Bytes JMP 00170FEF
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] WS2_32.dll!socket 761436D1 5 Bytes JMP 00280FEF
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] WININET.dll!InternetOpenA 75FCD47D 5 Bytes JMP 02610FE5
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] WININET.dll!InternetOpenW 75FCD7DA 5 Bytes JMP 02610000
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] WININET.dll!InternetOpenUrlA 75FCFE4B 5 Bytes JMP 02610011
.text C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE[5572] WININET.dll!InternetOpenUrlW 76019139 5 Bytes JMP 02610022

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----


Report •

#11
December 20, 2009 at 10:38:34
Ya gotta love Dell.

Go to start> control panel> add/remove programs and uninstall these programs:


Browser Address Error Redirector

THen navigate to and delete this folder:

C:\Program Files\Dell\BAE

Please download GooredFix and save it to your Desktop.

1. Double-click GooredFix.exe to run it.

2. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Restart the computer and let me know if you are still being redirected please.


Report •

#12
December 20, 2009 at 17:19:12
Here's the text file, I'll reboot and let you know if I get redirected.

GooredFix by jpshortstuff (06.12.09.1)
Log created at 18:21 on 20/12/2009 (scott)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:00 02/10/2008]

C:\Users\scott\Application Data\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\
chachaexpeditorhelper@matt.barbieri [11:41 24/08/2009]
chachaguidebar@chacha.com [14:30 09/07/2009]
statsclicker@codewolf [18:39 06/06/2009]
texpertension@texperts.com [21:09 06/08/2009]
{20a82645-c095-46ed-80e3-08825760534b} [21:33 02/09/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [16:22 20/12/2009]
{91aa5abe-9de4-4347-b7b5-322c38dd9271} [04:03 04/02/2009]
{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [05:04 29/10/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [04:08 01/04/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [15:13 11/12/2009]

-=E.O.F=-


Report •

#13
December 20, 2009 at 17:26:33
I rebooted and it's still doing it, though not all of the time. I searched for a dozen or so companies/websites and I was able to get through about half the time....is there any sure fix?

Report •

#14
December 20, 2009 at 18:03:08
Are you using a router?

Go to start> run> type in ComboFix /Uninstall (note the space after ComboFix is needed) then press ok. Give it a few minutes to uninstall.

1. Download TDSSKiller and save it to your Desktop.
2. Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
3. Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v


4. If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
5. When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.


Report •

#15
December 20, 2009 at 19:19:24
Here's the text from TDSSKiller.txt file.

btw, I did the ComboFix / Uninstall and it appeared to run ComboFix again.


Host Name: SCOTT-PC
OS Name: Microsoftr Windows VistaT Home Basic
OS Version: 6.0.6002 Service Pack 2 Build 6002
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: scott
Registered Organization:
Product ID:
Original Install Date: 8/13/2008, 5:17:45 PM
System Boot Time: 12/20/2009, 8:14:05 PM
System Manufacturer: Dell Inc.
System Model: Inspiron 1525
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x64 Family 6 Model 22 Stepping 1 GenuineIntel ~1995 Mhz
BIOS Version: Dell Inc. A13, 6/27/2008
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume3
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-07:00) Arizona
Total Physical Memory: 2,037 MB
Available Physical Memory: 941 MB
Page File: Max Size: 4,312 MB
Page File: Available: 3,032 MB
Page File: In Use: 1,280 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\SCOTT-PC
Hotfix(s): 117 Hotfix(s) Installed.
[01]: {562538FE-CABF-423C-BC3D-947718B140B2}
[02]: {75BF0776-6E82-4BE8-AD85-BA079BC8965A}
[03]: {64A29765-CB92-45B4-AE09-55997CF4D9AA}
[04]: {FFB59000-EB47-45BC-842A-EFFBDA635C94}
[05]: KB971513
[06]: KB971512
[07]: KB960362
[08]: KB971514
[09]: KB905866
[10]: KB935509
[11]: KB937287
[12]: KB938371
[13]: KB938464
[14]: KB941693
[15]: KB945533
[16]: KB946927
[17]: KB947562
[18]: KB947864
[19]: KB948278
[20]: KB948590
[21]: KB948609
[22]: KB948610
[23]: KB948881
[24]: KB950582
[25]: KB950762
[26]: KB950974
[27]: KB951066
[28]: KB951072
[29]: KB951376
[30]: KB951698
[31]: KB951978
[32]: KB952004
[33]: KB952069
[34]: KB952287
[35]: KB952709
[36]: KB953155
[37]: KB953733
[38]: KB953838
[39]: KB953839
[40]: KB954154
[41]: KB954155
[42]: KB954211
[43]: KB954366
[44]: KB954459
[45]: KB955020
[46]: KB955069
[47]: KB955302
[48]: KB955430
[49]: KB955839
[50]: KB956390
[51]: KB956391
[52]: KB956572
[53]: KB956744
[54]: KB956802
[55]: KB956841
[56]: KB957095
[57]: KB957097
[58]: KB957200
[59]: KB957321
[60]: KB957388
[61]: KB958215
[62]: KB958481
[63]: KB958483
[64]: KB958623
[65]: KB958624
[66]: KB958644
[67]: KB958687
[68]: KB958690
[69]: KB959108
[70]: KB959130
[71]: KB959426
[72]: KB959772
[73]: KB960225
[74]: KB960714
[75]: KB960715
[76]: KB960803
[77]: KB961260
[78]: KB961371
[79]: KB961501
[80]: KB963027
[81]: KB967723
[82]: KB968389
[83]: KB968537
[84]: KB968816
[85]: KB969897
[86]: KB969898
[87]: KB969947
[88]: KB970238
[89]: KB970430
[90]: KB970653
[91]: KB970710
[92]: KB971486
[93]: KB971557
[94]: KB971657
[95]: KB971737
[96]: KB971961
[97]: KB972036
[98]: KB972145
[99]: KB972260
[100]: KB973346
[101]: KB973507
[102]: KB973525
[103]: KB973540
[104]: KB973565
[105]: KB973687
[106]: KB974318
[107]: KB974455
[108]: KB974470
[109]: KB974571
[110]: KB975467
[111]: KB975517
[112]: KB976098
[113]: KB976325
[114]: KB976470
[115]: KB976749
[116]: KB948465
[117]: 940157
Network Card(s): 2 NIC(s) Installed.
[01]: Marvell Yukon 88E8040 PCI-E Fast Ethernet Controller
Connection Name: Local Area Connection
Status: Media disconnected
[02]: Dell Wireless 1395 WLAN Mini-Card
Connection Name: Wireless Network Connection
DHCP Enabled: Yes
DHCP Server: 192.168.1.1
IP address(es)
[01]: 192.168.1.100
[02]: fe80::f089:1b6a:54e1:5e6d
20:18:35:912 5812 ForceUnloadDriver: NtUnloadDriver error 2
20:18:35:912 5812 ForceUnloadDriver: NtUnloadDriver error 2
20:18:35:912 5812 ForceUnloadDriver: NtUnloadDriver error 2
20:18:35:975 5812 main: Driver KLMD successfully dropped
20:18:47:862 5812 main: Driver KLMD successfully loaded
20:18:47:862 5812
Scanning Registry ...
20:18:47:862 5812 ScanServices: Searching service UACd.sys
20:18:47:862 5812 ScanServices: Open/Create key error 2
20:18:47:862 5812 ScanServices: Searching service TDSSserv.sys
20:18:47:862 5812 ScanServices: Open/Create key error 2
20:18:47:862 5812 ScanServices: Searching service gaopdxserv.sys
20:18:47:862 5812 ScanServices: Open/Create key error 2
20:18:47:862 5812 ScanServices: Searching service gxvxcserv.sys
20:18:47:862 5812 ScanServices: Open/Create key error 2
20:18:47:862 5812 ScanServices: Searching service MSIVXserv.sys
20:18:47:862 5812 ScanServices: Open/Create key error 2
20:18:47:862 5812 UnhookRegistry: Kernel module file name: C:\Windows\system32\ntkrnlpa.exe, base addr: 82205000
20:18:48:2 5812 UnhookRegistry: Kernel local addr: 1B70000
20:18:48:2 5812 UnhookRegistry: KeServiceDescriptorTable addr: 1CA7B00
20:18:48:49 5812 UnhookRegistry: KiServiceTable addr: 1C1C82C
20:18:48:49 5812 UnhookRegistry: NtEnumerateKey service number (local): 85
20:18:48:49 5812 UnhookRegistry: NtEnumerateKey local addr: 1D6D0BA
20:18:48:65 5812 KLMD_OpenDevice: Trying to open KLMD device
20:18:48:65 5812 KLMD_GetSystemRoutineAddressA: Trying to get system routine address ZwEnumerateKey
20:18:48:65 5812 KLMD_GetSystemRoutineAddressW: Trying to get system routine address ZwEnumerateKey
20:18:48:65 5812 KLMD_ReadMem: Trying to ReadMemory 0x8224DD19[0x4]
20:18:48:65 5812 UnhookRegistry: NtEnumerateKey service number (kernel): 85
20:18:48:65 5812 KLMD_ReadMem: Trying to ReadMemory 0x822B1A40[0x4]
20:18:48:65 5812 UnhookRegistry: NtEnumerateKey real addr: 824020BA
20:18:48:65 5812 UnhookRegistry: NtEnumerateKey calc addr: 824020BA
20:18:48:65 5812 UnhookRegistry: No SDT hooks found on NtEnumerateKey
20:18:48:65 5812 KLMD_ReadMem: Trying to ReadMemory 0x824020BA[0xA]
20:18:48:65 5812 UnhookRegistry: No splicing found on NtEnumerateKey
20:18:48:65 5812
Scanning Kernel memory ...
20:18:48:65 5812 KLMD_OpenDevice: Trying to open KLMD device
20:18:48:65 5812 KLMD_GetSystemObjectAddressByNameA: Trying to get system object address by name \Driver\Disk
20:18:48:65 5812 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
20:18:48:65 5812 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8562C558
20:18:48:65 5812 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
20:18:48:65 5812 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 8564B758
20:18:48:65 5812 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8564B758
20:18:48:65 5812 DetectCureTDL3: 0 Curr stack PDEVICE_OBJECT: 84BCA030
20:18:48:65 5812 KLMD_GetLowerDeviceObject: Trying to get lower device object for 84BCA030
20:18:48:65 5812 KLMD_ReadMem: Trying to ReadMemory 0x84BCA030[0x38]
20:18:48:65 5812 DetectCureTDL3: DRIVER_OBJECT addr: 84BBBF38
20:18:48:65 5812 KLMD_ReadMem: Trying to ReadMemory 0x84BBBF38[0xA8]
20:18:48:65 5812 KLMD_ReadMem: Trying to ReadMemory 0x84B9E638[0x208]
20:18:48:65 5812 DetectCureTDL3: DRIVER_OBJECT name: \Driver\iaStor, Driver Name: iaStor
20:18:48:65 5812 DetectCureTDL3: IrpHandler (0) addr: 87A40818
20:18:48:65 5812 DetectCureTDL3: IrpHandler (1) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (2) addr: 87A40818
20:18:48:80 5812 DetectCureTDL3: IrpHandler (3) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (4) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (5) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (6) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (7) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (8) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (9) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (10) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (11) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (12) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (13) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (14) addr: 87A3E132
20:18:48:80 5812 DetectCureTDL3: IrpHandler (15) addr: 87A3B918
20:18:48:80 5812 DetectCureTDL3: IrpHandler (16) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (17) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (18) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (19) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (20) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (21) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (22) addr: 87A37AB4
20:18:48:80 5812 DetectCureTDL3: IrpHandler (23) addr: 87A3707C
20:18:48:80 5812 DetectCureTDL3: IrpHandler (24) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (25) addr: 8222D9D2
20:18:48:80 5812 DetectCureTDL3: IrpHandler (26) addr: 8222D9D2
20:18:48:80 5812 KLMD_ReadMem: Trying to ReadMemory 0x0[0x400]
20:18:48:80 5812 KLMD_ReadMem: DeviceIoControl error 1
20:18:48:80 5812 TDL3_StartIoHookDetect: Unable to get StartIo handler code
20:18:48:80 5812 TDL3_FileDetect: Processing driver: iaStor
20:18:48:80 5812 TDL3_FileDetect: Parameters: C:\Windows\system32\drivers\iastor.sys, C:\Windows\system32\Drivers\tsk_iastor.sys, SYSTEM\CurrentControlSet\Services\iaStor, system32\Drivers\tsk_iastor.sys
20:18:48:80 5812 TDL3_FileDetect: Processing driver file: C:\Windows\system32\drivers\iastor.sys
20:18:48:80 5812 KLMD_CreateFileW: Trying to open file C:\Windows\system32\drivers\iastor.sys
20:18:48:96 5812
Completed

Results:
20:18:48:96 5812 Infected objects in memory: 0
20:18:48:96 5812 Cured objects in memory: 0
20:18:48:96 5812 Infected objects on disk: 0
20:18:48:96 5812 Objects on disk cured on reboot: 0
20:18:48:96 5812 Objects on disk deleted on reboot: 0
20:18:48:96 5812 Registry nodes deleted on reboot: 0
20:18:48:96 5812


Report •

#16
December 20, 2009 at 19:46:16
Navigate to and delete this file:


C:\Windows\tasks\VKKMI.job

If possible download ComboFix with internet explorer instead of Firefox.

The ComboFix uninstall runs sort of like the real program, you should have got a message "uninstall complete".

Remember..your McAfee antivirus, Windows Defender, and Ad-Aware must be turned off or disabled before running ComboFix. The clickable link "This Link" in the ComboFix tutorial will help you get them disabled.


Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Rename the setup file, combofix.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename combofix.exe to to Combo-Fix> click save.
Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop.
If you are using Firefox, make sure that your download settings are as follows:
Tools->Options->Main tab
Set to "Always ask me where to Save the files".

Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on Combo-Fix.exe & follow the prompts.
Install the recovery console when asked.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" .
Note: Do not mouseclick combo-fix's window while it's running. That may cause it to hang.


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.


Report •

#17
December 20, 2009 at 20:39:23
Here's the text from combofix.txt

ComboFix 09-12-20.03 - scott 12/20/2009 21:28:45.3.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2037.1109 [GMT -7:00]
Running from: c:\users\scott\Desktop\combofix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-11-21 to 2009-12-21 )))))))))))))))))))))))))))))))
.

2009-12-21 04:35 . 2009-12-21 04:35 -------- d-----w- c:\users\scott\AppData\Local\temp
2009-12-21 04:35 . 2009-12-21 04:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-12-21 04:35 . 2009-12-21 04:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-21 03:38 . 2009-12-21 03:38 -------- d-----w- c:\users\scott\AppData\Roaming\Cycling '74
2009-12-20 16:41 . 2009-12-20 16:41 -------- d-----w- c:\program files\trend micro
2009-12-20 16:41 . 2009-12-20 16:41 -------- d-----w- C:\rsit
2009-12-19 20:03 . 2009-12-19 20:03 -------- d-----w- c:\program files\ESET
2009-12-19 19:43 . 2009-12-19 19:43 -------- d-----w- c:\users\scott\AppData\Roaming\Malwarebytes
2009-12-19 19:43 . 2009-12-03 23:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-19 19:43 . 2009-12-19 19:43 -------- d-----w- c:\programdata\Malwarebytes
2009-12-19 19:43 . 2009-12-19 19:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 19:43 . 2009-12-03 23:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-19 18:17 . 2009-12-19 18:17 -------- d-----w- c:\users\scott\AppData\Roaming\AVG8
2009-12-19 15:05 . 2009-12-21 03:16 52224 ----a-w- c:\users\scott\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-19 15:05 . 2009-12-19 15:05 117760 ----a-w- c:\users\scott\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-19 15:04 . 2009-12-19 15:04 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2009-12-19 15:04 . 2009-12-19 15:04 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-12-19 15:04 . 2009-12-19 15:04 -------- d-----w- c:\users\scott\AppData\Roaming\SUPERAntiSpyware.com
2009-12-19 15:03 . 2009-12-19 15:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-19 14:37 . 2009-12-19 18:07 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-19 14:37 . 2009-12-19 18:06 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-12-19 14:16 . 2009-12-19 14:16 -------- d-----w- c:\users\scott\AppData\Local\Citrix
2009-12-19 14:16 . 2009-12-19 14:16 61224 ----a-w- c:\users\scott\GoToAssistDownloadHelper.exe
2009-12-19 14:10 . 2009-09-30 19:11 288096 ----a-r- c:\users\scott\AppData\Roaming\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-12-19 14:09 . 2009-12-19 14:09 -------- d-----w- c:\users\scott\AppData\Roaming\McAfee
2009-12-14 13:05 . 2009-12-14 13:05 484976 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb7542.tmp.exe
2009-12-11 15:46 . 2009-12-11 15:46 132096 --sha-r- c:\windows\system32\msdtclogk.dll
2009-12-11 15:37 . 2009-11-03 03:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-12-11 15:12 . 2009-11-04 23:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-12-11 15:12 . 2009-11-04 23:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-12-11 15:12 . 2009-11-04 23:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-12-11 15:12 . 2009-07-16 19:32 130424 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-12-11 15:11 . 2009-12-11 15:12 -------- d-----w- c:\program files\Common Files\McAfee
2009-12-11 15:11 . 2009-12-11 15:12 -------- d-----w- c:\program files\McAfee.com
2009-12-11 15:11 . 2009-12-19 14:08 -------- d-----w- c:\program files\McAfee
2009-12-11 15:06 . 2009-11-04 23:53 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-12-09 03:00 . 2009-08-24 11:36 377344 ----a-w- c:\windows\system32\winhttp.dll
2009-12-09 02:59 . 2009-10-27 14:11 834048 ----a-w- c:\windows\system32\wininet.dll
2009-12-09 02:59 . 2009-10-27 13:16 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-09 02:59 . 2009-11-03 21:43 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 02:59 . 2009-11-03 21:42 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 02:59 . 2009-11-03 19:41 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-09 02:58 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-11-25 05:22 . 2009-10-29 09:17 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-25 01:36 . 2009-08-11 16:44 1401856 ----a-w- c:\windows\system32\msxml6.dll
2009-11-25 01:36 . 2009-08-11 16:44 1248768 ----a-w- c:\windows\system32\msxml3.dll
2009-11-22 21:52 . 2009-11-22 21:52 -------- d-----w- c:\users\scott\AppData\Local\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-21 01:20 . 2008-08-14 05:30 -------- d-----w- c:\program files\Dell
2009-12-20 16:22 . 2008-11-23 02:44 -------- d-----w- c:\program files\CCleaner
2009-12-19 19:17 . 2009-05-15 19:04 -------- d-----w- c:\program files\Notebook Hardware Control
2009-12-19 14:21 . 2008-10-02 19:47 -------- d-----w- c:\programdata\Citrix
2009-12-19 14:08 . 2008-08-14 05:36 -------- d-----w- c:\programdata\McAfee
2009-12-19 13:20 . 2009-05-15 19:04 22528 ----a-w- c:\windows\system32\drivers\nhcDriver.sys
2009-12-11 20:45 . 2008-11-15 22:27 5972 ----a-w- c:\users\scott\AppData\Local\d3d9caps.dat
2009-12-09 05:09 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-11-17 11:46 . 2009-11-17 11:46 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-17 11:46 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-17 11:41 . 2009-11-17 11:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-17 11:41 . 2009-11-17 11:41 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-04 23:54 . 2009-11-04 23:54 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-29 05:11 . 2009-09-19 14:40 -------- d-----w- c:\programdata\NOS
2009-10-29 05:06 . 2009-10-29 05:06 -------- d-----w- c:\programdata\McAfee Security Scan
2009-10-29 05:06 . 2009-10-29 05:06 -------- d-----w- c:\program files\McAfee Security Scan
2009-10-08 21:08 . 2009-11-17 04:49 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:08 . 2009-11-17 04:49 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:07 . 2009-11-17 04:49 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-04 04:18 . 2009-10-04 04:18 127872 ----a-w- c:\users\scott\AppData\Roaming\Move Networks\uninstall.exe
2009-10-04 04:18 . 2009-06-16 06:35 4183416 ----a-w- c:\users\scott\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
2009-10-02 00:16 . 2009-10-02 00:16 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb6FF4.tmp.exe
2009-10-01 01:02 . 2009-11-17 04:51 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-17 04:51 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-10-01 01:02 . 2009-11-17 04:51 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-17 04:51 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-17 04:51 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-17 04:51 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-17 04:51 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-17 04:51 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-17 04:51 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-17 04:51 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-17 04:50 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-17 04:51 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-11-17 04:51 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-11-17 04:51 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-11-17 04:51 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-10-01 01:01 . 2009-11-17 04:51 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-09-25 02:10 . 2009-11-17 04:51 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-11-17 04:51 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-11-17 04:51 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-11-17 04:51 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-11-17 04:51 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-11-17 04:51 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-11-17 04:51 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-11-17 04:51 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-11-17 04:51 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-11-17 04:51 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-11-17 04:51 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-11-17 04:51 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-11-17 04:51 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-11-17 04:51 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-11-17 04:51 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-11-17 04:51 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-11-17 04:51 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-11-17 04:51 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-11-17 04:51 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:30 . 2009-11-17 04:51 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:27 . 2009-11-17 04:51 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-11-17 04:51 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-11-17 04:51 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-11-17 04:51 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-11-17 04:51 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-11-17 04:51 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-11-17 04:51 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-23 23:37 . 2009-10-29 05:04 34112 ----a-w- c:\users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-09-23 23:37 . 2009-10-29 05:04 32448 ----a-w- c:\users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-09-23 23:37 . 2009-10-29 05:04 22352 ----a-w- c:\users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2008-08-14 08:10 . 2008-08-14 08:10 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-12-20_15.39.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-21 01:58 . 2009-12-21 03:16 50654 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2008-01-21 01:58 . 2009-12-20 15:11 50654 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-12-21 03:16 76880 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-10-02 18:30 . 2009-12-21 03:16 12522 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1311262568-1303121344-4212267574-1001_UserData.bin
+ 2009-12-21 03:16 . 2009-12-21 03:16 10078 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\74A956292B9D7ED29866593C7E501FA45B187192\74A956292B9D7ED29866593C7E501FA45B187192\Data.dat
- 2009-12-20 15:11 . 2009-12-20 15:11 10078 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\74A956292B9D7ED29866593C7E501FA45B187192\74A956292B9D7ED29866593C7E501FA45B187192\Data.dat
+ 2008-10-02 18:27 . 2009-12-21 03:16 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-10-02 18:27 . 2009-12-20 15:11 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-12-19 19:37 . 2009-12-21 03:16 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-12-19 19:37 . 2009-12-20 15:11 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-10-02 18:27 . 2009-12-20 15:11 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-10-02 18:27 . 2009-12-21 03:16 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-12-21 03:37 . 2009-12-21 03:37 3484 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\F580E258049922DF75DA8728B1F80FF2ADDBF34C\F580E258049922DF75DA8728B1F80FF2ADDBF34C\Data.dat
+ 2009-12-21 03:31 . 2009-12-21 03:31 5832 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\F1B90297A77EB90FE61C25A32991D533F753260F\F1B90297A77EB90FE61C25A32991D533F753260F\Data.dat
+ 2009-12-21 03:16 . 2009-12-21 03:16 5792 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\C71AC28DCACABABD866E5A703A02425E8E3F31C4\C71AC28DCACABABD866E5A703A02425E8E3F31C4\Data.dat
+ 2009-12-21 02:54 . 2009-12-21 02:54 5796 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\A5877CE0E690B9C86A0C889F25AC3B29484C9C06\A5877CE0E690B9C86A0C889F25AC3B29484C9C06\Data.dat
+ 2009-12-21 03:23 . 2009-12-21 03:23 5746 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\A55E5BF05E51DBCF78A05FD9E1912D1EDF684461\A55E5BF05E51DBCF78A05FD9E1912D1EDF684461\Data.dat
+ 2009-12-21 04:25 . 2009-12-21 04:25 5816 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\A0F1B16D8B5AA2C7EEBA90EBD41ABFBDFC8219EF\A0F1B16D8B5AA2C7EEBA90EBD41ABFBDFC8219EF\Data.dat
+ 2009-12-21 03:52 . 2009-12-21 03:52 5820 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\9F1C795F3947B774C242306A9BEEA193966FCDBF\9F1C795F3947B774C242306A9BEEA193966FCDBF\Data.dat
+ 2009-12-21 03:52 . 2009-12-21 03:52 6124 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\96A18E7425A035375461D38871288567F7F0DD59\96A18E7425A035375461D38871288567F7F0DD59\Data.dat
+ 2009-12-21 04:13 . 2009-12-21 04:13 3526 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\8F6A3B186B49962C0D51C93E705FD5A4DF903B10\8F6A3B186B49962C0D51C93E705FD5A4DF903B10\Data.dat
- 2009-12-20 15:11 . 2009-12-20 15:11 3526 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\8F6A3B186B49962C0D51C93E705FD5A4DF903B10\8F6A3B186B49962C0D51C93E705FD5A4DF903B10\Data.dat
- 2009-12-20 15:22 . 2009-12-20 15:22 5322 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\3A3C5F7CC9415160B34912634CB95978E99A7DDE\3A3C5F7CC9415160B34912634CB95978E99A7DDE\Data.dat
+ 2009-12-21 04:20 . 2009-12-21 04:20 5322 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\3A3C5F7CC9415160B34912634CB95978E99A7DDE\3A3C5F7CC9415160B34912634CB95978E99A7DDE\Data.dat
+ 2009-12-21 04:13 . 2009-12-21 04:13 3442 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\37B252FCBA50CD2E3E6E36026D6CCAD4D2B770A8\37B252FCBA50CD2E3E6E36026D6CCAD4D2B770A8\Data.dat
+ 2009-12-21 03:16 . 2009-12-21 03:16 3498 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\0B5265C0397CA5696B472654D059B1DC319245E2\0B5265C0397CA5696B472654D059B1DC319245E2\Data.dat
+ 2009-12-21 03:14 . 2009-12-21 03:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-12-20 15:09 . 2009-12-20 15:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-12-21 03:14 . 2009-12-21 03:14 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-12-20 15:09 . 2009-12-20 15:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-12-21 03:19 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-12-20 15:18 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-12-21 03:19 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-12-20 15:18 101350 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-29 17920]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-05-19 3444736]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-14 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-02 151552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-13 50688]
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):3c,1b,ed,b5,b3,3a,ca,01

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [12/12/2008 8:40 PM 73728]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [4/28/2008 2:56 PM 161048]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [12/11/2009 8:13 AM 210216]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [8/14/2008 1:11 AM 111616]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [1/20/2008 7:33 PM 21504]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD
*Deregistered* - KLMD

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\progra~1\MOZILL~1\plugins\np_gp.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\users\scott\AppData\Local\Yahoo!\BrowserPlus\2.4.21\Plugins\npybrowserplus_2.4.21.dll
FF - plugin: c:\users\scott\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-20 21:35
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3400)
c:\program files\McAfee\SiteAdvisor\saHook.dll
.
Completion time: 2009-12-20 21:38:50
ComboFix-quarantined-files.txt 2009-12-21 04:38
ComboFix2.txt 2009-12-21 03:12
ComboFix3.txt 2009-12-20 15:42

Pre-Run: 56,326,103,040 bytes free
Post-Run: 56,304,574,464 bytes free

- - End Of File - - 83CCAB68656034F4CDFEB1F21618C300


Report •

#18
December 20, 2009 at 20:46:59
Please download GooredFix and save it to your Desktop.

1. Double-click GooredFix.exe to run it.

2. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Are you still being redirected


Report •

#19
December 21, 2009 at 04:28:03
Yes I am still being redirected.

The text for GooredFix is below.

Another annoying thing that I'm sure is related to all of this is now my FireFox addons aren't working.

GooredFix by jpshortstuff (06.12.09.1)
Log created at 05:30 on 21/12/2009 (scott)
Firefox version 3.5.6 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:00 02/10/2008]

C:\Users\scott\Application Data\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\
chachaexpeditorhelper@matt.barbieri [12:21 21/12/2009]
chachaguidebar@chacha.com [04:14 21/12/2009]
statsclicker@codewolf [18:39 06/06/2009]
texpertension@texperts.com [21:09 06/08/2009]
{20a82645-c095-46ed-80e3-08825760534b} [21:33 02/09/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [16:22 20/12/2009]
{91aa5abe-9de4-4347-b7b5-322c38dd9271} [12:25 21/12/2009]
{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51} [03:37 21/12/2009]
{E2883E8F-472F-4fb0-9522-AC9BF37916A7} [05:04 29/10/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [04:08 01/04/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [15:13 11/12/2009]

---------- Old Logs ----------
GooredFix[01.21.49_21-12-2009].txt
GooredFix[01.41.05_21-12-2009].txt

-=E.O.F=-


Report •

#20
December 21, 2009 at 07:01:51
Are you using a router?

Please download OTL from following site:

OTL by OldTimer

1. Save it to your desktop
2. Double click the OTL icon on your desktop
3. Close any open browsers.
4. Double-click on OTL.exe to start the program.
Leave all settings as they appear as default, except for the following:

Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.exe
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor*.sys /s /md5
%SYSTEMDRIVE%\atapi* /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
%SYSTEMDRIVE%\nvatabus.sys /s /md5
%SYSTEMDRIVE%\viamraid.sys /s /md5
%SYSTEMDRIVE%\nvata.sys /s /md5
%SYSTEMDRIVE%\nvgts.sys /s /md5
%SYSTEMDRIVE%\iastorv.sys /s /md5
%SYSTEMDRIVE%\ViPrt.sys /s /md5
%SYSTEMDRIVE%\eNetHook.dll /s /md5


Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Post the contents of that Notepad document in your next reply, it may take several post to get the info to us but please post all of it.


Report •

#21
December 21, 2009 at 07:08:45
oops, I forgot to answer your router question before. Sorry.

Yes, I am using a router.

I will work on the OTL later this evening as I am at work right now and my laptop is at home.

I really appreciate all of your help. I'll put the contents of the OTL output up once they're available.

Thanks again.


Report •

#22
December 21, 2009 at 19:34:02
Here are the results,

OTL logfile created on: 12/21/2009 8:10:53 PM - Run 1
OTL by OldTimer - Version 3.1.19.0 Folder = C:\Users\scott\Desktop
Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 7.0.6002.18005)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 99.48 Gb Total Space | 52.50 Gb Free Space | 52.77% Space Free | Partition Type: NTFS
Drive D: | 9.77 Gb Total Space | 5.61 Gb Free Space | 57.43% Space Free | Partition Type: NTFS
Drive E: | 60.13 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: SCOTT-PC
Current User Name: scott
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=#E56717]========== Processes (SafeList) ==========[/color]

PRC - [2009/12/21 20:09:23 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\scott\Desktop\OTL.exe
PRC - [2009/12/16 16:26:56 | 02,002,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/27 17:19:10 | 00,199,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/21 11:13:58 | 00,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
PRC - [2009/04/10 23:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/01/06 13:06:36 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/01/06 13:06:24 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/08/14 00:04:44 | 00,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
PRC - [2008/05/18 23:26:20 | 03,444,736 | ---- | M] (Dell Inc.) -- C:\Windows\System32\WLTRAY.EXE
PRC - [2008/05/18 23:26:20 | 00,024,064 | ---- | M] () -- C:\Windows\System32\WLTRYSVC.EXE
PRC - [2008/05/18 23:25:26 | 02,506,752 | ---- | M] (Dell Inc.) -- C:\Windows\System32\BCMWLTRY.EXE
PRC - [2008/05/04 02:25:32 | 00,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/05/04 02:25:26 | 00,167,936 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/05/04 02:25:26 | 00,050,736 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
PRC - [2008/05/04 02:25:26 | 00,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2008/04/28 14:56:28 | 00,161,048 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/03/06 00:58:24 | 00,256,536 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxsrvc.exe
PRC - [2008/03/06 00:58:24 | 00,141,848 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxtray.exe
PRC - [2008/03/06 00:58:14 | 00,133,656 | ---- | M] (Intel Corporation) -- C:\Windows\System32\igfxpers.exe
PRC - [2008/03/06 00:58:10 | 00,166,424 | ---- | M] (Intel Corporation) -- C:\Windows\System32\hkcmd.exe
PRC - [2008/02/22 15:01:38 | 01,193,240 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2008/01/20 19:35:20 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2008/01/20 19:33:00 | 01,008,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MSASCui.exe
PRC - [2007/12/21 08:58:06 | 00,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2007/11/01 17:13:26 | 00,151,552 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
PRC - [2007/09/20 14:31:10 | 00,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/09/13 14:45:38 | 00,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/09/13 14:44:48 | 00,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/03/21 11:00:04 | 00,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 11:00:00 | 00,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/12/19 15:23:00 | 00,272,024 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe
PRC - [2006/11/03 16:02:14 | 00,050,688 | ---- | M] (Avanquest Software ) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2006/08/04 17:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) -- C:\Windows\System32\drivers\XAudio.exe
PRC - [2005/07/22 15:21:40 | 12,061,896 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE


[color=#E56717]========== Modules (SafeList) ==========[/color]

MOD - [2009/12/21 20:09:23 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\scott\Desktop\OTL.exe
MOD - [2009/04/10 23:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2009/02/11 11:06:38 | 00,014,032 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll


[color=#E56717]========== Win32 Services (SafeList) ==========[/color]

SRV - [2009/11/04 16:53:34 | 00,144,704 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/11/04 15:59:50 | 00,606,736 | ---- | M] (McAfee, Inc.) [On_Demand | Running] -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/10/29 06:54:44 | 00,865,832 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/10/28 11:50:32 | 00,365,072 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/09/24 18:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/05/29 12:22:16 | 00,182,768 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () [Auto | Running] -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/01/06 13:06:24 | 00,536,872 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008/11/07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008/08/29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/08/14 00:04:44 | 00,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter)
SRV - [2008/08/13 22:35:48 | 00,029,744 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-010708-104812)
SRV - [2008/05/18 23:26:20 | 00,024,064 | ---- | M] () [Auto | Running] -- C:\Windows\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2008/04/28 14:56:28 | 00,161,048 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2008/03/24 05:35:22 | 00,074,384 | R--- | M] (MicroVision Development, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2008/01/20 19:33:00 | 00,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2007/09/20 14:31:10 | 00,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/09/13 14:45:38 | 00,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/03/21 11:00:04 | 00,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2007/02/05 10:11:18 | 00,075,320 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe -- (SSScsiSV)
SRV - [2007/02/05 10:11:16 | 00,112,184 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe -- (SonicStage Back-End Service)
SRV - [2006/12/19 15:23:00 | 00,272,024 | ---- | M] () [Auto | Running] -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo) Cyberlink RichVideo Service(CRVS)
SRV - [2006/12/14 02:21:20 | 00,045,056 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe -- (MSCSPTISRV)
SRV - [2006/12/14 02:02:08 | 00,069,632 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2006/12/14 01:46:16 | 00,057,344 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2006/08/04 17:39:20 | 00,386,560 | ---- | M] (Conexant Systems, Inc.) [Auto | Running] -- C:\Windows\System32\drivers\XAudio.exe -- (XAudioService)
SRV - [2005/11/14 01:06:04 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


Report •

#23
December 21, 2009 at 19:34:37
[color=#E56717]========== Driver Services (SafeList) ==========[/color]

DRV - [2009/12/19 06:20:41 | 00,022,528 | ---- | M] (pBUS-167 Software - http://www.pbus-167.com) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nhcDriver.sys -- (nhcDriverDevice)
DRV - [2009/12/16 16:27:00 | 00,007,408 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Running] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2009/12/16 16:26:58 | 00,009,968 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/12/16 16:26:56 | 00,074,480 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2009/11/04 16:54:12 | 00,214,664 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/11/04 16:54:12 | 00,079,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/11/04 16:54:12 | 00,040,552 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/11/04 16:54:12 | 00,035,272 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/11/04 16:53:40 | 00,034,248 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 00,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/11/07 14:23:30 | 00,032,000 | ---- | M] (Apple, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\usbaapl.sys -- (USBAAPL)
DRV - [2008/05/18 23:26:02 | 01,044,984 | ---- | M] (Broadcom Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2008/05/04 02:25:24 | 00,164,400 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/04/17 13:12:54 | 00,015,464 | ---- | M] (GEAR Software Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/03/06 00:58:44 | 00,111,616 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
DRV - [2008/03/06 00:58:12 | 02,016,256 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2008/01/20 19:32:53 | 00,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2008/01/20 19:32:53 | 00,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2008/01/20 19:32:52 | 00,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
DRV - [2008/01/20 19:32:52 | 00,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2008/01/20 19:32:52 | 00,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2008/01/20 19:32:52 | 00,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2008/01/20 19:32:51 | 00,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2008/01/20 19:32:51 | 00,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2008/01/20 19:32:51 | 00,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2008/01/20 19:32:50 | 01,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2008/01/20 19:32:50 | 00,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
DRV - [2008/01/20 19:32:50 | 00,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2008/01/20 19:32:49 | 00,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2008/01/20 19:32:49 | 00,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2008/01/20 19:32:49 | 00,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2008/01/20 19:32:49 | 00,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2008/01/20 19:32:49 | 00,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2008/01/20 19:32:48 | 00,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2008/01/20 19:32:48 | 00,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2008/01/20 19:32:47 | 00,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2008/01/20 19:32:47 | 00,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2008/01/20 19:32:46 | 00,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2008/01/20 19:32:45 | 00,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2008/01/20 19:32:21 | 00,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2008/01/20 19:32:21 | 00,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2008/01/20 19:32:21 | 00,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/11/14 01:00:00 | 00,043,840 | ---- | M] (Sonic Solutions) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2007/11/12 04:07:28 | 00,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/09/28 22:31:54 | 00,278,528 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)
DRV - [2007/09/06 09:43:26 | 00,304,920 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)
DRV - [2007/09/06 09:35:16 | 00,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/09/06 09:35:14 | 00,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/09/06 09:35:12 | 00,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/02 19:43:30 | 00,986,624 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV)
DRV - [2006/11/02 19:42:18 | 00,206,848 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL)
DRV - [2006/11/02 19:42:08 | 00,659,968 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf)
DRV - [2006/11/02 02:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 02:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 02:50:19 | 00,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 02:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 02:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 02:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 02:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 02:50:05 | 00,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 02:50:03 | 00,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 02:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 02:49:56 | 00,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 01:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 01:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 01:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 01:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 01:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 01:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 00:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 00:36:43 | 02,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/01 23:37:21 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2006/08/04 17:39:10 | 00,008,192 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2006/06/19 14:26:58 | 00,012,672 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\mdmxsdk.sys -- (mdmxsdk)


[color=#E56717]========== Standard Registry (SafeList) ==========[/color]


[color=#E56717]========== Internet Explorer ==========[/color]

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

[color=#E56717]========== FireFox ==========[/color]

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: {E2883E8F-472F-4fb0-9522-AC9BF37916A7}:1
FF - prefs.js..extensions.enabledItems: 6
FF - prefs.js..extensions.enabledItems: 2
FF - prefs.js..extensions.enabledItems: 48
FF - prefs.js..extensions.enabledItems: {C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}:2.3.50
FF - prefs.js..extensions.enabledItems: chachaexpeditorhelper@matt.barbieri:1.5
FF - prefs.js..extensions.enabledItems: chachaguidebar@chacha.com:1.2
FF - prefs.js..extensions.enabledItems: {91aa5abe-9de4-4347-b7b5-322c38dd9271}:3.1
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9
FF - prefs.js..extensions.enabledItems: moveplayer@movenetworks.com:7
FF - prefs.js..extensions.enabledItems: texpertension@texperts.com:1.0.5
FF - prefs.js..extensions.enabledItems: {635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.4.20081105


Report •

#24
December 21, 2009 at 19:34:59
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/12/13 14:57:34 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Components: c:\Program Files\Mozilla Firefox\components [2009/12/16 04:46:16 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.6\extensions\\Plugins: c:\Program Files\Mozilla Firefox\plugins [2009/12/16 04:46:16 | 00,000,000 | ---D | M]

[2008/10/02 12:00:16 | 00,000,000 | ---D | M] -- C:\Users\scott\AppData\Roaming\Mozilla\Extensions
[2009/12/21 05:45:39 | 00,000,000 | ---D | M] -- C:\Users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions
[2009/12/20 09:23:41 | 00,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2009/12/21 05:25:33 | 00,000,000 | ---D | M] (Clippings) -- C:\Users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\{91aa5abe-9de4-4347-b7b5-322c38dd9271}
[2009/12/20 20:37:02 | 00,000,000 | ---D | M] (Answers) -- C:\Users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\{C0D0F6D1-9FC9-4b0a-B485-D5E13AF40D51}
[2009/10/28 22:04:55 | 00,000,000 | ---D | M] (Adobe DLM (powered by getPlus(R))) -- C:\Users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
[2009/12/21 05:21:59 | 00,000,000 | ---D | M] -- C:\Users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\chachaexpeditorhelper@matt.barbieri
[2009/12/20 21:14:23 | 00,000,000 | ---D | M] -- C:\Users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\chachaguidebar@chacha.com
[2009/06/06 11:39:52 | 00,000,000 | ---D | M] -- C:\Users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\statsclicker@codewolf
[2009/08/06 14:09:02 | 00,000,000 | ---D | M] -- C:\Users\scott\AppData\Roaming\Mozilla\Firefox\Profiles\81x0h8qs.default\extensions\texpertension@texperts.com
[2008/10/02 12:00:00 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (21 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll File not found
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\Windows\System32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [ECenter] C:\DELL\E-Center\EULALauncher.exe ( )
O4 - HKLM..\Run: [EverioService] C:\Program Files\CyberLink\PCM4Everio\EverioService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\System32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [IgfxTray] C:\Windows\System32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [Persistence] C:\Windows\System32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKCU..\Run: [DellSupportCenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\wmpnscfg.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (Sun Microsystems, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/ji... (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/ji... (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/ji... (Java Plug-in 1.6.0_05)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.105.28.12 68.105.29.12 68.105.28.11
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 14:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/10/16 10:44:10 | 00,000,066 | R--- | M] () - E:\autorun.inf -- [ CDFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2008/01/20 19:46:39 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found

[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]

File not found -- C:\Users\scott\Desktop\combofix.exe
[2009/12/21 20:09:13 | 00,513,536 | ---- | C] (OldTimer Tools) -- C:\Users\scott\Desktop\OTL.exe
[2009/12/20 21:38:52 | 00,000,000 | ---D | C] -- C:\Users\scott\AppData\Local\temp
[2009/12/20 21:38:20 | 00,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2009/12/20 20:38:24 | 00,000,000 | ---D | C] -- C:\Users\scott\AppData\Roaming\Cycling '74
[2009/12/20 18:21:48 | 00,000,000 | ---D | C] -- C:\Users\scott\Desktop\GooredFix Backups
[2009/12/20 18:21:02 | 00,071,848 | ---- | C] (jpshortstuff) -- C:\Users\scott\Desktop\GooredFix.exe
[2009/12/20 10:23:21 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2009/12/20 09:41:13 | 00,000,000 | ---D | C] -- C:\Program Files\trend micro
[2009/12/20 09:41:12 | 00,000,000 | ---D | C] -- C:\rsit
[2009/12/20 08:28:17 | 00,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2009/12/20 08:28:14 | 00,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2009/12/20 08:28:14 | 00,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2009/12/20 08:28:14 | 00,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2009/12/20 08:26:26 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2009/12/20 08:25:55 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/12/19 13:03:02 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/12/19 12:43:42 | 00,000,000 | ---D | C] -- C:\Users\scott\AppData\Roaming\Malwarebytes
[2009/12/19 12:43:36 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/19 12:43:35 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2009/12/19 12:43:34 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/12/19 12:43:34 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/12/19 11:17:36 | 00,000,000 | ---D | C] -- C:\Users\scott\AppData\Roaming\AVG8
[2009/12/19 08:04:35 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2009/12/19 08:04:12 | 00,000,000 | ---D | C] -- C:\Users\scott\AppData\Roaming\SUPERAntiSpyware.com
[2009/12/19 08:04:12 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/12/19 08:03:59 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2009/12/19 07:37:09 | 00,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2009/12/19 07:37:09 | 00,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2009/12/19 07:16:48 | 00,000,000 | ---D | C] -- C:\Users\scott\AppData\Local\Citrix
[2009/12/19 07:09:13 | 00,000,000 | ---D | C] -- C:\Users\scott\AppData\Roaming\McAfee
[2009/12/11 08:37:24 | 00,195,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2009/12/11 08:12:23 | 00,079,816 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys
[2009/12/11 08:12:23 | 00,040,552 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfesmfk.sys
[2009/12/11 08:12:23 | 00,035,272 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys
[2009/12/11 08:12:20 | 00,130,424 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\Mpfp.sys
[2009/12/11 08:11:56 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2009/12/11 08:11:55 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee.com
[2009/12/11 08:11:54 | 00,000,000 | ---D | C] -- C:\Program Files\McAfee
[2009/12/11 08:06:56 | 00,034,248 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdk.sys
[2009/12/08 19:59:51 | 00,180,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2009/12/08 19:59:51 | 00,078,336 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieencode.dll
[2009/12/08 19:59:49 | 00,380,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieapfltr.dll
[2009/12/08 19:59:36 | 00,030,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\httpapi.dll
[2009/12/08 19:59:36 | 00,024,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\nshhttp.dll
[2009/12/08 19:58:43 | 00,243,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rastls.dll
[2009/12/05 17:37:40 | 00,134,408 | ---- | C] (Kaspersky Lab) -- C:\Users\scott\Desktop\TDSSKiller.exe
[2009/11/24 22:22:54 | 00,002,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\tzres.dll
[2009/11/24 18:36:48 | 00,714,240 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\timedate.cpl
[2009/11/22 14:52:29 | 00,000,000 | ---D | C] -- C:\Users\scott\AppData\Local\Yahoo!

[color=#E56717]========== Files - Modified Within 30 Days ==========[/color]

[2009/12/21 20:16:12 | 01,835,008 | -HS- | M] () -- C:\Users\scott\ntuser.dat
[2009/12/21 20:15:44 | 00,690,960 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/12/21 20:15:44 | 00,595,684 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/12/21 20:15:44 | 00,101,350 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/12/21 20:09:23 | 00,513,536 | ---- | M] (OldTimer Tools) -- C:\Users\scott\Desktop\OTL.exe
[2009/12/21 20:08:41 | 00,014,156 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2009/12/21 20:07:33 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/12/21 20:07:33 | 00,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/12/21 20:06:56 | 00,000,316 | -HS- | M] () -- C:\Windows\tasks\VKKMI.job
[2009/12/21 20:06:41 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/12/21 20:06:37 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/12/21 20:06:34 | 21,370,42944 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/21 06:14:59 | 00,524,288 | -HS- | M] () -- C:\Users\scott\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TMContainer00000000000000000001.regtrans-ms
[2009/12/21 06:14:59 | 00,065,536 | -HS- | M] () -- C:\Users\scott\NTUSER.DAT{d8932e6d-6a6f-11db-b6ab-a038f15a5785}.TM.blf
[2009/12/20 21:47:09 | 02,840,788 | -H-- | M] () -- C:\Users\scott\AppData\Local\IconCache.db
[2009/12/20 21:35:43 | 00,000,215 | ---- | M] () -- C:\Windows\system.ini
[2009/12/20 19:59:12 | 00,134,408 | ---- | M] (Kaspersky Lab) -- C:\Users\scott\Desktop\TDSSKiller.exe
[2009/12/20 19:54:52 | 00,117,293 | ---- | M] () -- C:\Users\scott\Desktop\tdsskiller.zip
[2009/12/20 18:21:04 | 00,071,848 | ---- | M] (jpshortstuff) -- C:\Users\scott\Desktop\GooredFix.exe
[2009/12/20 10:23:16 | 32,112,1504 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2009/12/20 09:51:49 | 00,293,376 | ---- | M] () -- C:\Users\scott\Desktop\lnxtt4ru.exe
[2009/12/20 09:47:00 | 00,026,624 | ---- | M] () -- C:\Users\scott\Desktop\Please download exeHelper to your desktop.doc
[2009/12/20 09:47:00 | 00,000,162 | -H-- | M] () -- C:\Users\scott\Desktop\~$ease download exeHelper to your desktop.doc
[2009/12/20 09:40:24 | 00,781,909 | ---- | M] () -- C:\Users\scott\Desktop\RSIT.exe
[2009/12/20 09:37:56 | 00,290,816 | ---- | M] () -- C:\Users\scott\Desktop\exeHelper.com
[2009/12/20 09:22:16 | 00,001,672 | ---- | M] () -- C:\Users\scott\Desktop\CCleaner.lnk
[2009/12/20 08:26:55 | 03,858,925 | R--- | M] () -- C:\Users\scott\Desktop\KittyFix.exe
[2009/12/19 12:43:39 | 00,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/19 12:15:59 | 00,000,021 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2009/12/19 08:04:14 | 00,000,904 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/19 07:16:47 | 00,061,224 | ---- | M] () -- C:\Users\scott\GoToAssistDownloadHelper.exe
[2009/12/19 07:08:54 | 00,001,889 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Virtual Technician.lnk
[2009/12/19 06:20:41 | 00,022,528 | ---- | M] (pBUS-167 Software - http://www.pbus-167.com) -- C:\Windows\System32\drivers\nhcDriver.sys
[2009/12/15 01:22:18 | 00,000,340 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2009/12/14 19:54:42 | 00,025,088 | ---- | M] () -- C:\Users\scott\Documents\Dear Santa.doc
[2009/12/11 13:45:03 | 00,005,972 | ---- | M] () -- C:\Users\scott\AppData\Local\d3d9caps.dat
[2009/12/11 13:43:36 | 00,000,318 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2009/12/11 08:46:31 | 00,132,096 | RHS- | M] () -- C:\Windows\System32\msdtclogk.dll
[2009/12/11 08:14:42 | 00,000,813 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Security Center.lnk
[2009/12/11 08:14:09 | 00,000,808 | ---- | M] () -- C:\Users\Public\Desktop\McAfee EasyNetwork.lnk
[2009/12/09 22:54:07 | 00,261,632 | ---- | M] () -- C:\Windows\PEV.exe
[2009/12/07 23:54:37 | 00,464,896 | ---- | M] () -- C:\Users\scott\Documents\A significant storm will affect Arizona and southeastern California Monday night through Tuesday.doc
[2009/12/03 18:36:34 | 02,356,347 | ---- | M] () -- C:\Users\scott\Desktop\0912_Troop738_Newsletter.pdf
[2009/12/03 18:33:40 | 00,435,123 | ---- | M] () -- C:\Users\scott\Desktop\greenland gazettewintercelebration.pdf
[2009/12/03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2009/12/03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2009/11/28 16:42:15 | 00,024,064 | ---- | M] () -- C:\Users\scott\Documents\Hohokam Pottery Artifact.doc
[2009/11/26 07:30:30 | 00,004,136 | ---- | M] () -- C:\Users\scott\clipdat2.rdf
[2009/11/23 21:01:13 | 00,024,064 | ---- | M] () -- C:\Users\scott\Documents\Rene.doc
[2009/11/22 20:07:52 | 00,025,600 | ---- | M] () -- C:\Users\scott\Documents\Robert LaSalle.doc
[2009/11/22 14:59:17 | 01,700,352 | ---- | M] () -- C:\Users\scott\Documents\Young_Chun_pics_compressed.doc
[2009/11/22 14:50:54 | 22,073,344 | ---- | M] () -- C:\Users\scott\Documents\Young_Chun_pics.doc
[2009/11/21 20:42:58 | 00,029,184 | ---- | M] () -- C:\Users\scott\Documents\Christmas list 2009.doc

[color=#E56717]========== Files Created - No Company Name ==========[/color]

Report •

#25
December 21, 2009 at 19:35:30
[2009/12/20 19:54:48 | 00,117,293 | ---- | C] () -- C:\Users\scott\Desktop\tdsskiller.zip
[2009/12/20 10:23:16 | 32,112,1504 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2009/12/20 09:51:45 | 00,293,376 | ---- | C] () -- C:\Users\scott\Desktop\lnxtt4ru.exe
[2009/12/20 09:47:00 | 00,026,624 | ---- | C] () -- C:\Users\scott\Desktop\Please download exeHelper to your desktop.doc
[2009/12/20 09:47:00 | 00,000,162 | -H-- | C] () -- C:\Users\scott\Desktop\~$ease download exeHelper to your desktop.doc
[2009/12/20 09:40:17 | 00,781,909 | ---- | C] () -- C:\Users\scott\Desktop\RSIT.exe
[2009/12/20 09:37:55 | 00,290,816 | ---- | C] () -- C:\Users\scott\Desktop\exeHelper.com
[2009/12/20 08:28:17 | 00,077,312 | ---- | C] () -- C:\Windows\MBR.exe
[2009/12/20 08:28:14 | 00,261,632 | ---- | C] () -- C:\Windows\PEV.exe
[2009/12/20 08:28:14 | 00,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2009/12/20 08:28:14 | 00,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2009/12/20 08:28:14 | 00,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2009/12/20 08:22:59 | 03,858,925 | R--- | C] () -- C:\Users\scott\Desktop\KittyFix.exe
[2009/12/19 12:43:39 | 00,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/12/19 08:04:14 | 00,000,904 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/12/19 07:16:47 | 00,061,224 | ---- | C] () -- C:\Users\scott\GoToAssistDownloadHelper.exe
[2009/12/19 07:08:54 | 00,001,889 | ---- | C] () -- C:\Users\Public\Desktop\McAfee Virtual Technician.lnk
[2009/12/14 19:44:58 | 00,025,088 | ---- | C] () -- C:\Users\scott\Documents\Dear Santa.doc
[2009/12/11 08:46:31 | 00,132,096 | RHS- | C] () -- C:\Windows\System32\msdtclogk.dll
[2009/12/11 08:46:31 | 00,000,316 | -HS- | C] () -- C:\Windows\tasks\VKKMI.job
[2009/12/11 08:14:57 | 00,014,156 | ---- | C] () -- C:\Windows\System32\Config.MPF
[2009/12/11 08:14:42 | 00,000,813 | ---- | C] () -- C:\Users\Public\Desktop\McAfee Security Center.lnk
[2009/12/11 08:14:09 | 00,000,808 | ---- | C] () -- C:\Users\Public\Desktop\McAfee EasyNetwork.lnk
[2009/12/11 08:12:08 | 00,000,340 | ---- | C] () -- C:\Windows\tasks\McDefragTask.job
[2009/12/11 08:12:07 | 00,000,318 | ---- | C] () -- C:\Windows\tasks\McQcTask.job
[2009/12/07 23:54:36 | 00,464,896 | ---- | C] () -- C:\Users\scott\Documents\A significant storm will affect Arizona and southeastern California Monday night through Tuesday.doc
[2009/12/03 18:36:34 | 02,356,347 | ---- | C] () -- C:\Users\scott\Desktop\0912_Troop738_Newsletter.pdf
[2009/12/03 18:33:40 | 00,435,123 | ---- | C] () -- C:\Users\scott\Desktop\greenland gazettewintercelebration.pdf
[2009/11/28 16:42:15 | 00,024,064 | ---- | C] () -- C:\Users\scott\Documents\Hohokam Pottery Artifact.doc
[2009/11/26 07:30:30 | 00,004,136 | ---- | C] () -- C:\Users\scott\clipdat2.rdf
[2009/11/23 21:01:13 | 00,024,064 | ---- | C] () -- C:\Users\scott\Documents\Rene.doc
[2009/11/22 19:02:44 | 00,025,600 | ---- | C] () -- C:\Users\scott\Documents\Robert LaSalle.doc
[2009/11/22 14:58:35 | 01,700,352 | ---- | C] () -- C:\Users\scott\Documents\Young_Chun_pics_compressed.doc
[2009/11/22 14:43:39 | 22,073,344 | ---- | C] () -- C:\Users\scott\Documents\Young_Chun_pics.doc
[2009/11/21 20:40:19 | 00,029,184 | ---- | C] () -- C:\Users\scott\Documents\Christmas list 2009.doc
[2009/09/17 05:15:54 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/05/25 09:16:41 | 00,004,096 | -H-- | C] () -- C:\Users\scott\AppData\Local\keyfile3.drm
[2009/01/06 21:13:37 | 00,532,480 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Sony.dll
[2008/11/15 15:27:55 | 00,005,972 | ---- | C] () -- C:\Users\scott\AppData\Local\d3d9caps.dat
[2008/10/03 18:51:47 | 00,019,456 | ---- | C] () -- C:\Users\scott\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/08/14 01:11:56 | 01,953,696 | ---- | C] () -- C:\Windows\System32\igklg400.dll
[2008/08/14 01:11:56 | 01,533,360 | ---- | C] () -- C:\Windows\System32\igklg450.dll
[2008/08/14 01:11:56 | 00,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1409.dll
[2008/08/14 01:11:56 | 00,104,636 | ---- | C] () -- C:\Windows\System32\igmedcompkrn.dll
[2008/08/14 01:11:56 | 00,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll
[2008/08/14 01:11:53 | 00,016,480 | ---- | C] () -- C:\Windows\System32\rixdicon.dll
[2008/08/13 22:40:44 | 00,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2008/08/13 22:34:08 | 00,054,784 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2006/11/02 03:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 00:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2003/01/07 15:05:08 | 00,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[1996/04/03 12:33:26 | 00,005,248 | ---- | C] () -- C:\Windows\System32\giveio.sys

[color=#E56717]========== Custom Scans ==========[/color]


[color=#A23BEC]< %SYSTEMDRIVE%\*.exe >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\eventlog.dll /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\scecli.dll /s /md5 >[/color]
[2009/04/10 23:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\ERDNT\cache\scecli.dll
[2009/04/10 23:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\System32\scecli.dll
[2008/01/20 19:34:39 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=28B84EB538F7E8A0FE8B9299D591E0B9 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll
[2009/04/10 23:28:24 | 00,177,152 | ---- | M] (Microsoft Corporation) MD5=8FC182167381E9915651267044105EE1 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll

[color=#A23BEC]< %SYSTEMDRIVE%\netlogon.dll /s /md5 >[/color]
[2009/04/10 23:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\ERDNT\cache\netlogon.dll
[2009/04/10 23:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\System32\netlogon.dll
[2008/01/20 19:33:41 | 00,592,384 | ---- | M] (Microsoft Corporation) MD5=A8EFC0B6E75B789F7FD3BA5025D4E37F -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll
[2009/04/10 23:28:23 | 00,592,896 | ---- | M] (Microsoft Corporation) MD5=95DAECF0FB120A7B5DA679CC54E37DDE -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll

[color=#A23BEC]< %SYSTEMDRIVE%\cngaudit.dll /s /md5 >[/color]
[2006/11/02 02:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\ERDNT\cache\cngaudit.dll
[2006/11/02 02:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\System32\cngaudit.dll
[2006/11/02 02:46:03 | 00,011,776 | ---- | M] (Microsoft Corporation) MD5=7F15B4953378C8B5161D65C26D5FED4D -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

[color=#A23BEC]< %SYSTEMDRIVE%\sceclt.dll /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\ntelogon.dll /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\logevent.dll /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\iaStor.sys /s /md5 >[/color]
[2007/09/06 09:43:26 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Drivers\storage\R166200\iastor.sys
[2007/03/21 10:58:56 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys
[2007/03/21 10:59:30 | 00,381,720 | ---- | M] (Intel Corporation) MD5=9D7ED4275702E2FC409F2CC563245740 -- C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys
[2007/09/06 09:43:26 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\drivers\iaStor.sys
[2007/09/06 09:43:26 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys
[2007/09/06 09:43:26 | 00,304,920 | ---- | M] (Intel Corporation) MD5=997E8F5939F2D12CD9F2E6B395724C16 -- C:\Windows\System32\DriverStore\FileRepository\iastor.inf_5f6e7be5\iaStor.sys

[color=#A23BEC]< %SYSTEMDRIVE%\nvstor*.sys /s /md5 >[/color]
[2008/01/20 19:32:47 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\drivers\nvstor.sys
[2008/01/20 19:32:47 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_31c3d71d\nvstor.sys
[2006/11/02 02:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) MD5=9E0BA19A28C498A6D323D065DB76DFFC -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_733654ff\nvstor.sys
[2008/01/20 19:32:47 | 00,045,112 | ---- | M] (NVIDIA Corporation) MD5=ABED0C09758D1D97DB0042DBB2688177 -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.0.6001.18000_none_39dac327befea467\nvstor.sys

[color=#A23BEC]< %SYSTEMDRIVE%\atapi* /s /md5 >[/color]
[2009/04/10 23:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\ERDNT\cache\atapi.sys
[2009/04/10 23:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\drivers\atapi.sys
[2009/04/10 23:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_b12d8e84\atapi.sys
[2006/11/02 02:49:36 | 00,019,048 | ---- | M] (Microsoft Corporation) MD5=4F4FCB8B6EA06784FB6D475B7EC7300F -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_c6c2e699\atapi.sys
[2008/01/20 19:32:21 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys
[2008/01/20 19:32:21 | 00,021,560 | ---- | M] (Microsoft Corporation) MD5=2D9C903DC76A66813D350A562DE40ED9 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6001.18000_none_dd38281a2189ce9c\atapi.sys
[2009/04/10 23:32:26 | 00,019,944 | ---- | M] (Microsoft Corporation) MD5=1F05B78AB91C9075565A9D8A4B880BC4 -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.0.6002.18005_none_df23a1261eab99e8\atapi.sys

[color=#A23BEC]< %SYSTEMDRIVE%\IdeChnDr.sys /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\viasraid.sys /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\AGP440.sys /s /md5 >[/color]
[2008/01/20 19:32:22 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\ERDNT\cache\AGP440.sys
[2008/01/20 19:32:22 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\drivers\AGP440.sys
[2008/01/20 19:32:22 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_51b95d75\AGP440.sys
[2006/11/02 02:49:52 | 00,053,864 | ---- | M] (Microsoft Corporation) MD5=EF23439CDD587F64C2C1B8825CEAD7D8 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_920a2c1f\AGP440.sys
[2008/01/20 19:32:22 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_f750e484\AGP440.sys
[2008/01/20 19:32:22 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6001.18000_none_ba12ed3bbeb0d97a\AGP440.sys
[2008/01/20 19:32:22 | 00,056,376 | ---- | M] (Microsoft Corporation) MD5=13F9E33747E6B41A3FF305C37DB0D360 -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.0.6002.18005_none_bbfe6647bbd2a4c6\AGP440.sys

[color=#A23BEC]< %SYSTEMDRIVE%\vaxscsi.sys /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\nvatabus.sys /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\viamraid.sys /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\nvata.sys /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\nvgts.sys /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\iastorv.sys /s /md5 >[/color]
[2008/01/20 19:32:49 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\drivers\iaStorV.sys
[2006/11/02 02:51:25 | 00,232,040 | ---- | M] (Intel Corporation) MD5=C957BF4B5D80B46C5017BF0101E6C906 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_37cdafa4\iaStorV.sys
[2008/01/20 19:32:49 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_c9df7691\iaStorV.sys
[2008/01/20 19:32:49 | 00,235,064 | ---- | M] (Intel Corporation) MD5=54155EA1B0DF185878E0FC9EC3AC3A14 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.0.6001.18000_none_af11527887c7fa8f\iaStorV.sys

[color=#A23BEC]< %SYSTEMDRIVE%\ViPrt.sys /s /md5 >[/color]

[color=#A23BEC]< %SYSTEMDRIVE%\eNetHook.dll /s /md5 >[/color]
< End of report >

Report •

#26
December 21, 2009 at 19:36:32
That's all of the output from OTL.txt.

Do you need the output from Extras.txt?


Report •

#27
December 21, 2009 at 20:45:09
No, and I see nothing suspect.

Please run Esets online scanner from this link:

ESET

1. Note: You will need to use Internet explorer for this scan
2. Tick the box next to YES, I accept the Terms of Use.
3. Click Start
4. When asked, allow the activex control to install
5. Click Start
6. Make sure that the option Remove found threats is unticked ( I want to see what is found first), and the option Scan unwanted applications is checked
7. Click Scan
8. Wait for the scan to finish
9. Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
10. Copy and paste that log in your next reply.


Report •

#28
December 22, 2009 at 05:01:35
It ran and nothing was found. Here's the log file

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - delete file error:Access is denied.

OnlineScanner.ocx - copy file error :The process cannot access the file because it is being used by another process.

OnlineScanner.ocx - registred OK


Report •

#29
December 22, 2009 at 11:07:53
Sneaky little devil isn't it.

Please download MBR.exe and save it to C:\

Then Navigate to C:\ and double click the MBR.exe executable file> click run.

It will produce a brief log, mbr.txt in the same directory as the program. Please copy/paste that
log here.

Please download DEFFOGER to you desktop from this link:

DEFOGGER

1. Double click DeFogger to run the tool.
2. When the utility opens click the Disable button to disable your CD Emulation drivers
3. Click Yes to continue
4. A 'Finished!' message will appear
5. Click OK
6. DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until the instruction is given.


Boot into safe mode using the F8 method only:

1.Restart your computer.
2.When the computer starts you will see your computer's hardware being listed. When you see this information start to gently tap the F8 key repeatedly until you are presented with the Windows Vista Advanced Boot Options.
3.Select the Safe Mode option using the arrow keys.
4.Then press the enter key on your keyboard to boot into Vista Safe Mode.
5.When Windows starts you will be at a typical logon screen. Logon to your computer and Vista will enter Safe mode.

Run GMER from safe mode, restart the computer and post its log.




Report •

#30
December 22, 2009 at 17:20:13
a brief dos screen came up for the mbr.exe and no mbr.txt was created in c:\

I'll move on to DEFFROGER.


Report •

#31
December 22, 2009 at 17:22:54
The link to DEFFOGER brings it back to our post.

Is there another link for DEFFOGER ?


Report •

#32
December 22, 2009 at 17:38:14
The text should be located at C:\mbr.txt.

Try this link:

DEFOGGER


Report •

#33
December 23, 2009 at 03:50:46
Here's the GMER log, I don't have a C:\mbr.txt. I don't even have an MBR directory on C:\

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-23 04:48:42
Windows 6.0.6002 Service Pack 2
Running: rd81wcw4.exe; Driver: C:\Users\scott\AppData\Local\Temp\fglcypow.sys


---- Devices - GMER 1.0.15 ----

Device \FileSystem\fastfat \Fat 8B613A7A

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Report •

#34
December 23, 2009 at 05:07:14
I found the mbr.txt it was in c:\windows\system32

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK


Report •

#35
December 23, 2009 at 09:40:49
Still nothing showing up.

Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

Rename the setup file, mbam-setup.exe, before you download it. To do that once the "enter name of file to save to" box appears as the download begins in the filename box rename mbam-setup.exe to tool.exe> click save.

1. Double Click tool.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please run the BitDefender online scan this link:
Bitdefender Online Scanner

Click I Agree to agree to the EULA.
Allow the ActiveX control to install when prompted.
Click Click here to scan to begin the scan.
Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
When the scan is finished, click on Click here to export the scan results.
Save the report to your desktop so you can post it in your next reply.


Report •


Ask Question