PDA

View Full Version : need help with this plz (win32.tdss.reg)



lex200
2009-07-04, 20:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:53:32, on 04/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203731462390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0151801245870868) (0151801245870868mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\0151801245870868mcinst.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Advanced Networking Service (hnmsvc) - Unknown owner - C:\Program Files\Dell Network Assistant\hnm_svc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10862 bytes

Shaba
2009-07-06, 08:43
Hi lex200

Please post next spybot report :)

lex200
2009-07-06, 23:33
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-20 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi
2009-06-02 Includes\AdwareC.sbi
2009-01-22 Includes\Cookies.sbi
2009-05-19 Includes\Dialer.sbi
2009-06-02 Includes\DialerC.sbi
2009-01-22 Includes\HeavyDuty.sbi
2009-05-26 Includes\Hijackers.sbi
2009-06-23 Includes\HijackersC.sbi
2009-06-23 Includes\Keyloggers.sbi
2009-06-30 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2009-06-30 Includes\Malware.sbi
2009-06-30 Includes\MalwareC.sbi
2009-03-25 Includes\PUPS.sbi
2009-06-30 Includes\PUPSC.sbi
2009-01-22 Includes\Revision.sbi
2009-01-13 Includes\Security.sbi
2009-06-02 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2009-04-07 Includes\Spyware.sbi
2009-06-02 Includes\SpywareC.sbi
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\Trojans.sbi
2009-06-30 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB887998)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB930494)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Media Center 2005 / SP4: Update Rollup 2 for Windows XP Media Center Edition 2005
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player 10: Update for Windows Media Player 10 (KB913800)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 10: Update for Windows Media Player 10 (KB926251)
/ Windows Media Player 10 / SP0: Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB928090)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB931768)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB933566)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB937143)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB958215)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB960714)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB963027)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB969897)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB969897)
/ Windows XP / SP0: Update for Windows Internet Explorer 8 (KB971180)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Hotfix for Windows XP (KB942288-v3)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958690)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Security Update for Windows XP (KB961501)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP / SP4: Security Update for Windows XP (KB968537)
/ Windows XP / SP4: Security Update for Windows XP (KB969898)
/ Windows XP / SP4: Security Update for Windows XP (KB970238)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0


--- Startup entries list ---
Located: HK_LM:Run, amd_dc_opt
command: C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
file: C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
size: 77824
MD5: EBC0E8C0A4DDA2C32A7D5863462A321A

Located: HK_LM:Run, IntelliPoint
command: "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
file: C:\Program Files\Microsoft IntelliPoint\ipoint.exe
size: 849280
MD5: F4E7979D8ADEBEEDEAD33019A5BD52BF

Located: HK_LM:Run, itype
command: "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
file: C:\Program Files\Microsoft IntelliType Pro\itype.exe
size: 813912
MD5: F2E2AAD0EE3E886161A907F473A10B20

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep 0 -k
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, mcagent_exe
command: "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
file: C:\Program Files\McAfee.com\Agent\mcagent.exe
size: 645328
MD5: 88A8EBA41A7FE46167D10975DC15BC4A

Located: HK_LM:Run, SigmatelSysTrayApp
command: stsystra.exe
file: C:\WINDOWS\stsystra.exe
size: 282624
MD5: 289BDC9E5681BD1BE0FB871C460BD254

Located: HK_CU:Run, CTFMON.EXE
where: .DEFAULT...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, DWQueuedReporting
where: .DEFAULT...
command: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
file: C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
size: 435096
MD5: BCE986B97974DFBB7302C9990F3511A8

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2606577421-1681171435-465083108-1005...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, msnmsgr
where: S-1-5-21-2606577421-1681171435-465083108-1005...
command: "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
file: C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2606577421-1681171435-465083108-500...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:RunOnce, NeroHomeFirstStart
where: S-1-5-21-2606577421-1681171435-465083108-500...
command: "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
file: C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
file: C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
size: 139264
MD5: 3DBE5B70FCA1F15BE651A5EB02594B84

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, MSMSGS
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2

Located: HK_CU:Run, msnmsgr
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C

Located: HK_CU:Run, QuickTime Task
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: 6CD5C3276C83F72677D647F27EE14ABD

Located: HK_CU:Run, swg
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-18...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, DWQueuedReporting
where: S-1-5-18...
command: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
file: C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
size: 435096
MD5: BCE986B97974DFBB7302C9990F3511A8

Located: Startup (user), OneNote 2007 Screen Clipper and Launcher.lnk
where: C:\Documents and Settings\Guest\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
file: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
size: 98696
MD5: A6D772AA861E673636D48B6EB452ADE3

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name:
Date (created): 27/02/2009 13:07:26
Date (last access): 14/03/2009 14:16:32
Date (last write): 27/02/2009 13:07:26
Filesize: 75128
Attributes: archive
MD5: 5CF6190CD875DA6B35256FEE573E7908
CRC32: 764BA81B
Version: 9.1.0.163

{27B4851A-3207-45A2-B947-BE8AFE6163AB} (McAfee Phishing Filter)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: McAfee Phishing Filter
CLSID name: McAfee Phishing Filter
Path: c:\PROGRA~1\mcafee\msk\
Long name: mskapbho.dll
Short name:
Date (created): 08/12/2008 03:03:26
Date (last access): 09/01/2009 09:22:10
Date (last write): 09/01/2009 09:22:10
Filesize: 246800
Attributes: archive
MD5: 427E479ACD4F1C4A21CD2C7911B07014
CRC32: E1018A4F
Version: 10.3.109.0

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 20/03/2009 17:47:04
Date (last access): 22/03/2009 03:06:54
Date (last write): 15/09/2008 15:25:44
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\Program Files\Microsoft Office\Office12\
Long name: GrooveShellExtensions.dll
Short name:
Date (created): 12/02/2009 15:19:32
Date (last access): 16/06/2009 20:21:26
Date (last write): 12/02/2009 15:19:32
Filesize: 2217848
Attributes: archive
MD5: A6B5A41C0ED007AB6C43CAD899E533D8
CRC32: BA078F79
Version: 12.0.6421.1000

{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: scriptproxy
CLSID name: scriptproxy
Path: C:\Program Files\McAfee\VirusScan\
Long name: scriptsn.dll
Short name:
Date (created): 07/06/2008 14:32:34
Date (last access): 25/03/2009 11:05:56
Date (last write): 25/03/2009 11:05:56
Filesize: 62784
Attributes: archive
MD5: 20A51E0AA981268CBA3C714A188DA15B
CRC32: F9AA83AA
Version: 14.0.0.423

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 17/02/2009 17:11:04
Date (last access): 13/03/2009 20:35:34
Date (last write): 17/02/2009 17:11:04
Filesize: 408440
Attributes: archive
MD5: 1A82C1B9BB43385695EFC3A84F6756A2
CRC32: 75E558CA
Version: 5.0.818.6

{B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: McAfee SiteAdvisor BHO
Path: c:\PROGRA~1\mcafee\SITEAD~1\
Long name: McIEPlg.dll
Short name:
Date (created): 07/12/2008 03:24:42
Date (last access): 13/03/2009 20:38:16
Date (last write): 14/11/2008 13:25:26
Filesize: 150032
Attributes: archive
MD5: 623CA938B77D445B41846447B2F991C8
CRC32: 13AA1784
Version: 1.0.2.155

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 27/03/2009 17:27:44
Date (last access): 27/03/2009 17:27:44
Date (last write): 27/03/2009 17:27:44
Filesize: 35840
Attributes: archive
MD5: 96A225C7F5346A9E81FC3DFA89A900C0
CRC32: BAD5D2EF
Version: 6.0.130.3

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name:
Date (created): 27/03/2009 17:27:46
Date (last access): 27/03/2009 17:27:46
Date (last write): 27/03/2009 17:27:46
Filesize: 73728
Attributes: archive
MD5: 53F8B53918C839F76367B7E612B742B1
CRC32: 735F7F91
Version: 6.0.130.3



--- ActiveX list ---
{5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class)
DPF name:
CLSID name: Solitaire Showdown Class
Installer:
Codebase: http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SolitaireShowdown.dll
Short name: SOLITA~1.DLL
Date (created): 28/02/2007 14:21:04
Date (last access): 27/02/2009 23:43:18
Date (last write): 28/02/2007 14:21:04
Filesize: 142248
Attributes: archive
MD5: 93F7304161C8CB7C335F99D9232BD347
CRC32: 91D38231
Version: 9.5.6986.1

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203731462390
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 16/08/2005 05:40:18
Date (last access): 10/03/2009 23:53:28
Date (last write): 16/10/2008 15:13:40
Filesize: 202776
Attributes: archive
MD5: 1865594AFE88C27A127FF4CF492734B0
CRC32: F48FD025
Version: 7.2.6001.788

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer:
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 26/05/2005 05:19:32
Date (last access): 10/03/2009 23:53:10
Date (last write): 16/10/2008 15:06:48
Filesize: 208744
Attributes: archive
MD5: D2E6F0A06391FE5556E8A1D6D5041A5E
CRC32: 27FBFA7D
Version: 7.2.6001.788

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_13
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_13.dll
Short name:
Date (created): 27/03/2009 17:27:46
Date (last access): 27/03/2009 17:27:46
Date (last write): 27/03/2009 17:27:46
Filesize: 136600
Attributes: archive
MD5: 20188EB1790C5EB9057DDFE3EA138FC7
CRC32: 2EA1ACCF
Version: 6.0.130.3

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class)
DPF name:
CLSID name: MessengerStatsClient Class
Installer:
Codebase: http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
description:
classification: Legitimate
known filename: MessengerStatsPAClient.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MessengerStatsPAClient.dll
Short name: MESSEN~1.DLL
Date (created): 22/02/2007 23:41:12
Date (last access): 27/02/2009 23:43:18
Date (last write): 22/02/2007 23:41:12
Filesize: 304544
Attributes: archive
MD5: 8945CCA5FC4F25168E8B6F401EFAF51F
CRC32: 0F12FD23
Version: 9.5.6907.1

{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_13
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_13.dll
Short name:
Date (created): 27/03/2009 17:27:46
Date (last access): 27/03/2009 17:27:46
Date (last write): 27/03/2009 17:27:46
Filesize: 136600
Attributes: archive
MD5: 20188EB1790C5EB9057DDFE3EA138FC7
CRC32: 2EA1ACCF
Version: 6.0.130.3

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_13
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_13.dll
Short name:
Date (created): 27/03/2009 17:27:46
Date (last access): 27/03/2009 17:27:46
Date (last write): 27/03/2009 17:27:46
Filesize: 136600
Attributes: archive
MD5: 20188EB1790C5EB9057DDFE3EA138FC7
CRC32: 2EA1ACCF
Version: 6.0.130.3

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash10b.ocx
Short name:
Date (created): 03/02/2009 03:07:18
Date (last access): 16/06/2009 16:27:00
Date (last write): 03/02/2009 03:07:18
Filesize: 3866528
Attributes: readonly archive
MD5: 8AFC17155ED5AB60B7C52D7F553D579C
CRC32: 0FBC13F3
Version: 10.0.22.87



--- Process list ---
PID: 0 ( 0) [System]
PID: 452 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 660 ( 452) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 800 ( 452) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 924 ( 800) C:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 936 ( 800) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1172 ( 924) C:\WINDOWS\system32\Ati2evxx.exe
size: 409600
MD5: C23082B890F21267037CA6111C385FF3
PID: 1216 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1412 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1456 ( 924) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1492 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1688 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1880 ( 924) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1964 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2004 ( 924) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 144712
MD5: 7E94E567C1AA5ABE6174032B3DAB6C23
PID: 2020 ( 924) C:\Program Files\Bonjour\mDNSResponder.exe
size: 238888
MD5: 3F56903E124E820AEECE6D471583C6C1
PID: 2040 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 240 ( 924) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
size: 258103
MD5: 0F2CD70A636FCD7362F5DAE96AFDF17F
PID: 336 ( 924) C:\Program Files\Java\jre6\bin\jqs.exe
size: 152984
MD5: 890369AED0DDE1A98F09F7DC239CA2BD
PID: 392 ( 924) C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
size: 206096
MD5: 02DD571C055A6644E8CF952058D4BA9C
PID: 476 ( 924) C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
size: 797864
MD5: 5F2E238661F79CC2D0347F0265BF0063
PID: 348 ( 924) c:\program files\common files\mcafee\mna\mcnasvc.exe
size: 2482848
MD5: AA490BFB95998686AF46FDCD8093443B
PID: 656 ( 924) c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
size: 359952
MD5: 5A8D1ACD2070B8261236D5484AE63721
PID: 724 ( 924) C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
size: 144704
MD5: 0C53EFC1DD2318A235EC628A41E05312
PID: 1260 ( 924) C:\Program Files\McAfee\MPF\MPFSrv.exe
size: 884360
MD5: DE51C0969EE26777D2D10C5CF70538FA
PID: 1556 ( 924) C:\Program Files\McAfee\MSK\MskSrver.exe
size: 26640
MD5: 9A55CFA5F970BB407C7F639D19578A89
PID: 1508 ( 924) C:\WINDOWS\system32\HPZipm12.exe
size: 73728
MD5: 2D091A99624FB9E7EEF0A86D872EC0C3
PID: 1708 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1772 ( 924) C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
size: 53307
MD5: CCFDECD6060EA8EB0F8466782A97FF21
PID: 1840 (1772) C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
size: 5203968
MD5: 95A3BE8657A83652E27280E856A3E7C5
PID: 2876 ( 924) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 1476 (1456) C:\WINDOWS\system32\wuauclt.exe
size: 51224
MD5: E654B78D2F1D791B30D0ED9A8195EC22
PID: 2748 (1216) c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 645328
MD5: 88A8EBA41A7FE46167D10975DC15BC4A
PID: 2820 (2604) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 520 (2820) C:\WINDOWS\stsystra.exe
size: 282624
MD5: 289BDC9E5681BD1BE0FB871C460BD254
PID: 1148 (2820) C:\Program Files\Microsoft IntelliType Pro\itype.exe
size: 813912
MD5: F2E2AAD0EE3E886161A907F473A10B20
PID: 708 (2820) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
size: 849280
MD5: F4E7979D8ADEBEEDEAD33019A5BD52BF
PID: 1728 (2820) C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C
PID: 1616 (2820) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 3820 ( 924) C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
size: 606736
MD5: 9C2BA4C40B94D049539AD99235715A9A
PID: 1340 (2820) C:\Program Files\Internet Explorer\iexplore.exe
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 3304 (1340) C:\Program Files\Internet Explorer\iexplore.exe
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 2060 (2820) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 06/07/2009 21:27:50

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.co.uk/webhp?hl=en
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD RfComm [Bluetooth]
GUID: {9FC48064-7298-43E4-B7BD-181F2089792A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD RfComm [Bluetooth]

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A7933F12-CB71-41AC-B5B2-BFF23857323A}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A7933F12-CB71-41AC-B5B2-BFF23857323A}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{430ECC8B-1CC9-4793-BA49-0F8139D9BC85}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{430ECC8B-1CC9-4793-BA49-0F8139D9BC85}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F93F3702-4998-4712-B382-D9F208B21225}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F93F3702-4998-4712-B382-D9F208B21225}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4660E909-49F3-45D2-A12D-999DC7E340EB}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4660E909-49F3-45D2-A12D-999DC7E340EB}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8C4BC2B4-6CBC-4E47-AF10-3ABFC2B34194}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8C4BC2B4-6CBC-4E47-AF10-3ABFC2B34194}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCF58095-1582-49DD-9007-B09A9FF8ABF0}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCF58095-1582-49DD-9007-B09A9FF8ABF0}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{718FDF74-7835-4848-B3B2-7CFEB8BB3818}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{718FDF74-7835-4848-B3B2-7CFEB8BB3818}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA6A5AFF-F8CD-4486-B169-C8CCC9CB55E5}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA6A5AFF-F8CD-4486-B169-C8CCC9CB55E5}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29B39846-0902-49E5-B96A-2F1FC54E9A72}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29B39846-0902-49E5-B96A-2F1FC54E9A72}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F9FBC39-C724-4E7B-AEFD-EDFE1FAC9BF8}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F9FBC39-C724-4E7B-AEFD-EDFE1FAC9BF8}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: Bluetooth Namespace
GUID: {06AA63E0-7D60-41FF-AFB2-3EE6D2D9392D}
Filename: %SystemRoot%\system32\wshbth.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\wshbth.dll
DB protocol: Bluetooth-Namespace

Namespace Provider 4: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP

lex200
2009-07-07, 00:00
--- Search result list ---
Win32.TDSS.reg: [SBI $48FC2A86] System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-20 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-06-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-06-30 Includes\Malware.sbi (*)
2009-06-30 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-30 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\Trojans.sbi (*)
2009-06-30 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 3 (5.1.2600)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB887998)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Hotfix (KB930494)
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ Media Center 2005 / SP4: Update Rollup 2 for Windows XP Media Center Edition 2005
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB954430)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player: Security Update for Windows Media Player (KB952069)
/ Windows Media Player 10: Update for Windows Media Player 10 (KB913800)
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB917734)
/ Windows Media Player 10: Update for Windows Media Player 10 (KB926251)
/ Windows Media Player 10 / SP0: Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB954154)
/ Windows Media Player 11: Critical Update for Windows Media Player 11 (KB959772)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB928090)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB931768)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB933566)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB937143)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB956390)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB958215)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB960714)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB961260)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB963027)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB969897)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 8 (KB969897)
/ Windows XP / SP0: Update for Windows Internet Explorer 8 (KB971180)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Windows XP Service Pack 3
/ Windows XP / SP4: Security Update for Windows XP (KB923561)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Hotfix for Windows XP (KB942288-v3)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Update for Windows XP (KB951978)
/ Windows XP / SP4: Security Update for Windows XP (KB952004)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)
/ Windows XP / SP4: Security Update for Windows XP (KB954211)
/ Windows XP / SP4: Security Update for Windows XP (KB954459)
/ Windows XP / SP4: Hotfix for Windows XP (KB954550-v5)
/ Windows XP / SP4: Security Update for Windows XP (KB954600)
/ Windows XP / SP4: Security Update for Windows XP (KB955069)
/ Windows XP / SP4: Update for Windows XP (KB955839)
/ Windows XP / SP4: Security Update for Windows XP (KB956391)
/ Windows XP / SP4: Security Update for Windows XP (KB956572)
/ Windows XP / SP4: Security Update for Windows XP (KB956802)
/ Windows XP / SP4: Security Update for Windows XP (KB956803)
/ Windows XP / SP4: Security Update for Windows XP (KB956841)
/ Windows XP / SP4: Security Update for Windows XP (KB957095)
/ Windows XP / SP4: Security Update for Windows XP (KB957097)
/ Windows XP / SP4: Security Update for Windows XP (KB958644)
/ Windows XP / SP4: Security Update for Windows XP (KB958687)
/ Windows XP / SP4: Security Update for Windows XP (KB958690)
/ Windows XP / SP4: Security Update for Windows XP (KB959426)
/ Windows XP / SP4: Security Update for Windows XP (KB960225)
/ Windows XP / SP4: Security Update for Windows XP (KB960715)
/ Windows XP / SP4: Security Update for Windows XP (KB960803)
/ Windows XP / SP4: Hotfix for Windows XP (KB961118)
/ Windows XP / SP4: Security Update for Windows XP (KB961373)
/ Windows XP / SP4: Security Update for Windows XP (KB961501)
/ Windows XP / SP4: Update for Windows XP (KB967715)
/ Windows XP / SP4: Security Update for Windows XP (KB968537)
/ Windows XP / SP4: Security Update for Windows XP (KB969898)
/ Windows XP / SP4: Security Update for Windows XP (KB970238)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0


--- Startup entries list ---
Located: HK_LM:Run, amd_dc_opt
command: C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
file: C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
size: 77824
MD5: EBC0E8C0A4DDA2C32A7D5863462A321A

Located: HK_LM:Run, IntelliPoint
command: "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
file: C:\Program Files\Microsoft IntelliPoint\ipoint.exe
size: 849280
MD5: F4E7979D8ADEBEEDEAD33019A5BD52BF

Located: HK_LM:Run, itype
command: "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
file: C:\Program Files\Microsoft IntelliType Pro\itype.exe
size: 813912
MD5: F2E2AAD0EE3E886161A907F473A10B20

Located: HK_LM:Run, KernelFaultCheck
command: %systemroot%\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep 0 -k
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, mcagent_exe
command: "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
file: C:\Program Files\McAfee.com\Agent\mcagent.exe
size: 645328
MD5: 88A8EBA41A7FE46167D10975DC15BC4A

Located: HK_LM:Run, SigmatelSysTrayApp
command: stsystra.exe
file: C:\WINDOWS\stsystra.exe
size: 282624
MD5: 289BDC9E5681BD1BE0FB871C460BD254

Located: HK_CU:Run, CTFMON.EXE
where: .DEFAULT...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, DWQueuedReporting
where: .DEFAULT...
command: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
file: C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
size: 435096
MD5: BCE986B97974DFBB7302C9990F3511A8

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2606577421-1681171435-465083108-1005...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, msnmsgr
where: S-1-5-21-2606577421-1681171435-465083108-1005...
command: "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
file: C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2606577421-1681171435-465083108-500...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:RunOnce, NeroHomeFirstStart
where: S-1-5-21-2606577421-1681171435-465083108-500...
command: "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
file: C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
file: C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
size: 139264
MD5: 3DBE5B70FCA1F15BE651A5EB02594B84

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, MSMSGS
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: "C:\Program Files\Messenger\msmsgs.exe" /background
file: C:\Program Files\Messenger\msmsgs.exe
size: 1695232
MD5: 3E930C641079443D4DE036167A69CAA2

Located: HK_CU:Run, msnmsgr
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
file: C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C

Located: HK_CU:Run, QuickTime Task
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: 6CD5C3276C83F72677D647F27EE14ABD

Located: HK_CU:Run, swg
where: S-1-5-21-2606577421-1681171435-465083108-501...
command: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
file: C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, CTFMON.EXE
where: S-1-5-18...
command: C:\WINDOWS\system32\CTFMON.EXE
file: C:\WINDOWS\system32\CTFMON.EXE
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3

Located: HK_CU:Run, DWQueuedReporting
where: S-1-5-18...
command: "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
file: C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
size: 435096
MD5: BCE986B97974DFBB7302C9990F3511A8

Located: Startup (user), OneNote 2007 Screen Clipper and Launcher.lnk
where: C:\Documents and Settings\Guest\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
file: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
size: 98696
MD5: A6D772AA861E673636D48B6EB452ADE3

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, dimsntfy
command: %SystemRoot%\System32\dimsntfy.dll
file: %SystemRoot%\System32\dimsntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{18DF081C-E8AD-4283-A596-FA578C2EBDC3} (AcroIEHelperStub)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: AcroIEHelperStub
CLSID name: Adobe PDF Link Helper
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelperShim.dll
Short name:
Date (created): 27/02/2009 13:07:26
Date (last access): 14/03/2009 14:16:32
Date (last write): 27/02/2009 13:07:26
Filesize: 75128
Attributes: archive
MD5: 5CF6190CD875DA6B35256FEE573E7908
CRC32: 764BA81B
Version: 9.1.0.163

{27B4851A-3207-45A2-B947-BE8AFE6163AB} (McAfee Phishing Filter)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: McAfee Phishing Filter
CLSID name: McAfee Phishing Filter
Path: c:\PROGRA~1\mcafee\msk\
Long name: mskapbho.dll
Short name:
Date (created): 08/12/2008 03:03:26
Date (last access): 09/01/2009 09:22:10
Date (last write): 09/01/2009 09:22:10
Filesize: 246800
Attributes: archive
MD5: 427E479ACD4F1C4A21CD2C7911B07014
CRC32: E1018A4F
Version: 10.3.109.0

{53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Spybot-S&D IE Protection
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\Spybot - Search & Destroy\
Long name: SDHelper.dll
Short name:
Date (created): 20/03/2009 17:47:04
Date (last access): 22/03/2009 03:06:54
Date (last write): 15/09/2008 15:25:44
Filesize: 1562960
Attributes: readonly hidden sysfile archive
MD5: 35F73F1936BDE91F1B6995510A61E7A8
CRC32: BE6A5D15
Version: 1.6.2.14

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\Program Files\Microsoft Office\Office12\
Long name: GrooveShellExtensions.dll
Short name:
Date (created): 12/02/2009 15:19:32
Date (last access): 16/06/2009 20:21:26
Date (last write): 12/02/2009 15:19:32
Filesize: 2217848
Attributes: archive
MD5: A6B5A41C0ED007AB6C43CAD899E533D8
CRC32: BA078F79
Version: 12.0.6421.1000

{7DB2D5A0-7241-4E79-B68D-6309F01C5231} (scriptproxy)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: scriptproxy
CLSID name: scriptproxy
Path: C:\Program Files\McAfee\VirusScan\
Long name: scriptsn.dll
Short name:
Date (created): 07/06/2008 14:32:34
Date (last access): 25/03/2009 11:05:56
Date (last write): 25/03/2009 11:05:56
Filesize: 62784
Attributes: archive
MD5: 20A51E0AA981268CBA3C714A188DA15B
CRC32: F9AA83AA
Version: 14.0.0.423

{9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Windows Live Sign-in Helper
Path: C:\Program Files\Common Files\Microsoft Shared\Windows Live\
Long name: WindowsLiveLogin.dll
Short name: WINDOW~1.DLL
Date (created): 17/02/2009 17:11:04
Date (last access): 13/03/2009 20:35:34
Date (last write): 17/02/2009 17:11:04
Filesize: 408440
Attributes: archive
MD5: 1A82C1B9BB43385695EFC3A84F6756A2
CRC32: 75E558CA
Version: 5.0.818.6

{B164E929-A1B6-4A06-B104-2CD0E90A88FF} (McAfee SiteAdvisor BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: McAfee SiteAdvisor BHO
Path: c:\PROGRA~1\mcafee\SITEAD~1\
Long name: McIEPlg.dll
Short name:
Date (created): 07/12/2008 03:24:42
Date (last access): 13/03/2009 20:38:16
Date (last write): 14/11/2008 13:25:26
Filesize: 150032
Attributes: archive
MD5: 623CA938B77D445B41846447B2F991C8
CRC32: 13AA1784
Version: 1.0.2.155

{DBC80044-A445-435b-BC74-9C25C1C588A9} (Java(tm) Plug-In 2 SSV Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Java(tm) Plug-In 2 SSV Helper
Path: C:\Program Files\Java\jre6\bin\
Long name: jp2ssv.dll
Short name:
Date (created): 27/03/2009 17:27:44
Date (last access): 27/03/2009 17:27:44
Date (last write): 27/03/2009 17:27:44
Filesize: 35840
Attributes: archive
MD5: 96A225C7F5346A9E81FC3DFA89A900C0
CRC32: BAD5D2EF
Version: 6.0.130.3

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} (JQSIEStartDetectorImpl)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: JQSIEStartDetectorImpl
CLSID name: JQSIEStartDetectorImpl Class
Path: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\
Long name: jqs_plugin.dll
Short name:
Date (created): 27/03/2009 17:27:46
Date (last access): 27/03/2009 17:27:46
Date (last write): 27/03/2009 17:27:46
Filesize: 73728
Attributes: archive
MD5: 53F8B53918C839F76367B7E612B742B1
CRC32: 735F7F91
Version: 6.0.130.3



--- ActiveX list ---
{5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class)
DPF name:
CLSID name: Solitaire Showdown Class
Installer:
Codebase: http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: SolitaireShowdown.dll
Short name: SOLITA~1.DLL
Date (created): 28/02/2007 14:21:04
Date (last access): 27/02/2009 23:43:18
Date (last write): 28/02/2007 14:21:04
Filesize: 142248
Attributes: archive
MD5: 93F7304161C8CB7C335F99D9232BD347
CRC32: 91D38231
Version: 9.5.6986.1

{6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
DPF name:
CLSID name: WUWebControl Class
Installer: C:\WINDOWS\Downloaded Program Files\wuweb.inf
Codebase: http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203731462390
description:
classification: Legitimate
known filename: wuweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: wuweb.dll
Short name:
Date (created): 16/08/2005 05:40:18
Date (last access): 10/03/2009 23:53:28
Date (last write): 16/10/2008 15:13:40
Filesize: 202776
Attributes: archive
MD5: 1865594AFE88C27A127FF4CF492734B0
CRC32: F48FD025
Version: 7.2.6001.788

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)
DPF name:
CLSID name: MUWebControl Class
Installer:
Codebase: http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
description:
classification: Legitimate
known filename: muweb.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\system32\
Long name: muweb.dll
Short name:
Date (created): 26/05/2005 05:19:32
Date (last access): 10/03/2009 23:53:10
Date (last write): 16/10/2008 15:06:48
Filesize: 208744
Attributes: archive
MD5: D2E6F0A06391FE5556E8A1D6D5041A5E
CRC32: 27FBFA7D
Version: 7.2.6001.788

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_13
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_13.dll
Short name:
Date (created): 27/03/2009 17:27:46
Date (last access): 27/03/2009 17:27:46
Date (last write): 27/03/2009 17:27:46
Filesize: 136600
Attributes: archive
MD5: 20188EB1790C5EB9057DDFE3EA138FC7
CRC32: 2EA1ACCF
Version: 6.0.130.3

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class)
DPF name:
CLSID name: MessengerStatsClient Class
Installer:
Codebase: http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
description:
classification: Legitimate
known filename: MessengerStatsPAClient.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: MessengerStatsPAClient.dll
Short name: MESSEN~1.DLL
Date (created): 22/02/2007 23:41:12
Date (last access): 27/02/2009 23:43:18
Date (last write): 22/02/2007 23:41:12
Filesize: 304544
Attributes: archive
MD5: 8945CCA5FC4F25168E8B6F401EFAF51F
CRC32: 0F12FD23
Version: 9.5.6907.1

{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_13
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_13.dll
Short name:
Date (created): 27/03/2009 17:27:46
Date (last access): 27/03/2009 17:27:46
Date (last write): 27/03/2009 17:27:46
Filesize: 136600
Attributes: archive
MD5: 20188EB1790C5EB9057DDFE3EA138FC7
CRC32: 2EA1ACCF
Version: 6.0.130.3

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_13
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre6\bin\
Long name: npjpi160_13.dll
Short name:
Date (created): 27/03/2009 17:27:46
Date (last access): 27/03/2009 17:27:46
Date (last write): 27/03/2009 17:27:46
Filesize: 136600
Attributes: archive
MD5: 20188EB1790C5EB9057DDFE3EA138FC7
CRC32: 2EA1ACCF
Version: 6.0.130.3

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\CONFLICT.1\swflash.inf
Codebase: http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash10b.ocx
Short name:
Date (created): 03/02/2009 03:07:18
Date (last access): 16/06/2009 16:27:00
Date (last write): 03/02/2009 03:07:18
Filesize: 3866528
Attributes: readonly archive
MD5: 8AFC17155ED5AB60B7C52D7F553D579C
CRC32: 0FBC13F3
Version: 10.0.22.87



--- Process list ---
PID: 0 ( 0) [System]
PID: 452 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 660 ( 452) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 800 ( 452) \??\C:\WINDOWS\system32\winlogon.exe
size: 507904
PID: 924 ( 800) C:\WINDOWS\system32\services.exe
size: 110592
MD5: 65DF52F5B8B6E9BBD183505225C37315
PID: 936 ( 800) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: BF2466B3E18E970D8A976FB95FC1CA85
PID: 1172 ( 924) C:\WINDOWS\system32\Ati2evxx.exe
size: 409600
MD5: C23082B890F21267037CA6111C385FF3
PID: 1216 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1412 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1456 ( 924) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1492 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1688 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1880 ( 924) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: D8E14A61ACC1D4A6CD0D38AEBAC7FA3B
PID: 1964 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 2004 ( 924) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
size: 144712
MD5: 7E94E567C1AA5ABE6174032B3DAB6C23
PID: 2020 ( 924) C:\Program Files\Bonjour\mDNSResponder.exe
size: 238888
MD5: 3F56903E124E820AEECE6D471583C6C1
PID: 2040 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 240 ( 924) C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
size: 258103
MD5: 0F2CD70A636FCD7362F5DAE96AFDF17F
PID: 336 ( 924) C:\Program Files\Java\jre6\bin\jqs.exe
size: 152984
MD5: 890369AED0DDE1A98F09F7DC239CA2BD
PID: 392 ( 924) C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
size: 206096
MD5: 02DD571C055A6644E8CF952058D4BA9C
PID: 476 ( 924) C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
size: 797864
MD5: 5F2E238661F79CC2D0347F0265BF0063
PID: 348 ( 924) c:\program files\common files\mcafee\mna\mcnasvc.exe
size: 2482848
MD5: AA490BFB95998686AF46FDCD8093443B
PID: 656 ( 924) c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
size: 359952
MD5: 5A8D1ACD2070B8261236D5484AE63721
PID: 724 ( 924) C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
size: 144704
MD5: 0C53EFC1DD2318A235EC628A41E05312
PID: 1260 ( 924) C:\Program Files\McAfee\MPF\MPFSrv.exe
size: 884360
MD5: DE51C0969EE26777D2D10C5CF70538FA
PID: 1556 ( 924) C:\Program Files\McAfee\MSK\MskSrver.exe
size: 26640
MD5: 9A55CFA5F970BB407C7F639D19578A89
PID: 1508 ( 924) C:\WINDOWS\system32\HPZipm12.exe
size: 73728
MD5: 2D091A99624FB9E7EEF0A86D872EC0C3
PID: 1708 ( 924) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18
PID: 1772 ( 924) C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
size: 53307
MD5: CCFDECD6060EA8EB0F8466782A97FF21
PID: 1840 (1772) C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
size: 5203968
MD5: 95A3BE8657A83652E27280E856A3E7C5
PID: 2876 ( 924) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: 8C515081584A38AA007909CD02020B3D
PID: 2748 (1216) c:\PROGRA~1\mcafee.com\agent\mcagent.exe
size: 645328
MD5: 88A8EBA41A7FE46167D10975DC15BC4A
PID: 2820 (2604) C:\WINDOWS\Explorer.EXE
size: 1033728
MD5: 12896823FB95BFB3DC9B46BCAEDC9923
PID: 520 (2820) C:\WINDOWS\stsystra.exe
size: 282624
MD5: 289BDC9E5681BD1BE0FB871C460BD254
PID: 1148 (2820) C:\Program Files\Microsoft IntelliType Pro\itype.exe
size: 813912
MD5: F2E2AAD0EE3E886161A907F473A10B20
PID: 708 (2820) C:\Program Files\Microsoft IntelliPoint\ipoint.exe
size: 849280
MD5: F4E7979D8ADEBEEDEAD33019A5BD52BF
PID: 1728 (2820) C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
size: 5724184
MD5: A8972A2F9A744DD5EE0BFE429D767F1C
PID: 1616 (2820) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3
PID: 3820 ( 924) C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
size: 606736
MD5: 9C2BA4C40B94D049539AD99235715A9A
PID: 1340 (2820) C:\Program Files\Internet Explorer\iexplore.exe
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E
PID: 2060 (2820) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 5365592
MD5: 0477C2F9171599CA5BC3307FDFBA8D89
PID: 4 ( 0) System
PID: 3780 (1340) C:\Program Files\Internet Explorer\iexplore.exe
size: 638816
MD5: B60DDDD2D63CE41CB8C487FCFBB6419E


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 06/07/2009 22:02:15

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.google.co.uk/webhp?hl=en
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD RfComm [Bluetooth]
GUID: {9FC48064-7298-43E4-B7BD-181F2089792A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD RfComm [Bluetooth]

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A7933F12-CB71-41AC-B5B2-BFF23857323A}] SEQPACKET 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A7933F12-CB71-41AC-B5B2-BFF23857323A}] DATAGRAM 9
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{430ECC8B-1CC9-4793-BA49-0F8139D9BC85}] SEQPACKET 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{430ECC8B-1CC9-4793-BA49-0F8139D9BC85}] DATAGRAM 8
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F93F3702-4998-4712-B382-D9F208B21225}] SEQPACKET 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{F93F3702-4998-4712-B382-D9F208B21225}] DATAGRAM 7
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4660E909-49F3-45D2-A12D-999DC7E340EB}] SEQPACKET 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{4660E909-49F3-45D2-A12D-999DC7E340EB}] DATAGRAM 6
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8C4BC2B4-6CBC-4E47-AF10-3ABFC2B34194}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{8C4BC2B4-6CBC-4E47-AF10-3ABFC2B34194}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCF58095-1582-49DD-9007-B09A9FF8ABF0}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{CCF58095-1582-49DD-9007-B09A9FF8ABF0}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{718FDF74-7835-4848-B3B2-7CFEB8BB3818}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 19: MSAFD NetBIOS [\Device\NetBT_Tcpip_{718FDF74-7835-4848-B3B2-7CFEB8BB3818}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 20: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA6A5AFF-F8CD-4486-B169-C8CCC9CB55E5}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 21: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA6A5AFF-F8CD-4486-B169-C8CCC9CB55E5}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 22: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29B39846-0902-49E5-B96A-2F1FC54E9A72}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 23: MSAFD NetBIOS [\Device\NetBT_Tcpip_{29B39846-0902-49E5-B96A-2F1FC54E9A72}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 24: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F9FBC39-C724-4E7B-AEFD-EDFE1FAC9BF8}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 25: MSAFD NetBIOS [\Device\NetBT_Tcpip_{2F9FBC39-C724-4E7B-AEFD-EDFE1FAC9BF8}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: Bluetooth Namespace
GUID: {06AA63E0-7D60-41FF-AFB2-3EE6D2D9392D}
Filename: %SystemRoot%\system32\wshbth.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\wshbth.dll
DB protocol: Bluetooth-Namespace

Namespace Provider 4: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP

Shaba
2009-07-07, 12:23
That looks clean to me.

Does it find something upon rescan?

lex200
2009-07-08, 02:40
Computer is running fine no problems but I scanned it with spybot and it found win32.tdss.reg fix the problem only to find that it was there on the next scan and every 1 since cant get rid of it. i also scanned it with mcafee and Malware bytes' Anti-Malware but both came up clean. i will attach a fresh hjt log.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:36:01, on 08/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203731462390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0151801245870868) (0151801245870868mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\0151801245870868mcinst.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Advanced Networking Service (hnmsvc) - Unknown owner - C:\Program Files\Dell Network Assistant\hnm_svc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10740 bytes

Shaba
2009-07-08, 09:18
Download gmer.zip (http://gmer.net/gmer.zip) and save to your desktop.
alternate download site (http://hype.free.googlepages.com/gmer.zip)

Unzip/extract the file to its own folder. (Click here (http://www.bleepingcomputer.com/tutorials/tutorial105.html) for information on how to do this if not sure. Win 2000 users click here (http://www.bleepingcomputer.com/tutorials/tutorial106.html).
When you have done this, disconnect from the Internet and close all running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double-click on Gmer.exe to start the program.
Allow the gmer.sys driver to load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
Click on the Rootkit tab.
Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
Click on the "Scan" and wait for the scan to finish.
Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
Note: If you have any problems, try running GMER in SAFE MODE (http://www.bleepingcomputer.com/forums/tutorial61.html)"
Important! Please do not select the "Show all" checkbox during the scan..

lex200
2009-07-09, 10:07
GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-09 07:33:11
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA8BC54EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA8BC5581]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA8BC5498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA8BC54AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA8BC5595]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA8BC55C1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA8BC562F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA8BC5619]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA8BC552A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA8BC565B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA8BC556D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA8BC5470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA8BC5484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA8BC54FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA8BC5697]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA8BC5603]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA8BC55ED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA8BC55AB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA8BC5683]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA8BC566F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA8BC54D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA8BC54C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA8BC55D7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA8BC5559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA8BC5645]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA8BC5540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA8BC5514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A8BC5518 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00060079
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00060068
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0006004D
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00060032
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00060FA1
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00060F4C
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00060094
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000600E5
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 000600C0
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000600F6
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00060F90
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00060F69
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00060FB2
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[912] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 000600AF
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0005001B
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00050058
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00050FCA
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00050000
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00050047
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00050FE5
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00050036
.text C:\WINDOWS\system32\services.exe[912] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00050FAF
.text C:\WINDOWS\system32\services.exe[912] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00040064
.text C:\WINDOWS\system32\services.exe[912] msvcrt.dll!system 77C293C7 5 Bytes JMP 00040049
.text C:\WINDOWS\system32\services.exe[912] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0004001D
.text C:\WINDOWS\system32\services.exe[912] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[912] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00040038
.text C:\WINDOWS\system32\services.exe[912] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[912] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0003000A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00060056
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00060F61
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00060F7C
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00060FA8
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00060F30
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00060078
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 000600AB
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0006009A
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000600C6
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00060067
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00060FCD
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\lsass.exe[924] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00060089
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00050FB9
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00050F57
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00050FDE
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00050F68
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00050F79
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [25, 88]
.text C:\WINDOWS\system32\lsass.exe[924] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00050F94
.text C:\WINDOWS\system32\lsass.exe[924] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00040F8D
.text C:\WINDOWS\system32\lsass.exe[924] msvcrt.dll!system 77C293C7 5 Bytes JMP 00040FA8
.text C:\WINDOWS\system32\lsass.exe[924] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00040011
.text C:\WINDOWS\system32\lsass.exe[924] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\lsass.exe[924] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00040022
.text C:\WINDOWS\system32\lsass.exe[924] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\lsass.exe[924] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0003000A
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009A0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009A0096
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009A0071
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009A0F97
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009A0FA8
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009A0FCD
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009A00C4
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009A00A7
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009A0F57
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009A00E6
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009A010B
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009A0054
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009A0FDE
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009A0F86
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009A002F
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009A001E
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009A00D5
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0099002F
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0099008A
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00990FD4
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0099000A
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00990065
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00990FC3
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B9, 88]
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00990040
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0098004C
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 00980031
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00980FD2
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00980FB7
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00980FE3
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00970FEF
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B60FEF
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B60F8A
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B6007F
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B60F9B
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B60058
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B60047
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B600AB
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B60F63
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B600E1
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B600C6
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B600FC
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B60FC0
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B6000A
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B6009A
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B60036
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B60025
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B60F3E
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B50040
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B50FAF
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B50FE5
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B50011
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B50FCA
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B50000
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B5006C
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B5005B
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B40FB9
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B40FD4
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B40029
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B40FEF
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B40044
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B4000C
.text C:\WINDOWS\system32\svchost.exe[1396] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B30FEF
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03730000
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03730F4B
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03730F5C
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03730F6D
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03730F8A
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03730FCA
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03730076
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03730F2E
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 037300A5
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03730F0C
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03730EF1
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03730FAF
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03730011
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03730065
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0373002C
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 03730FDB
.text C:\WINDOWS\System32\svchost.exe[1456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03730F1D
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03720047
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03720FAC
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0372002C
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0372001B
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03720069
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03720000
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03720FD1
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [92, 8B]
.text C:\WINDOWS\System32\svchost.exe[1456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03720058
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0371002E
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!system 77C293C7 5 Bytes JMP 0371001D
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03710FD2
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03710000
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03710FAD
.text C:\WINDOWS\System32\svchost.exe[1456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03710FE3
.text C:\WINDOWS\System32\svchost.exe[1456] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03700FE5
.text C:\WINDOWS\System32\svchost.exe[1456] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 02CC0FEF
.text C:\WINDOWS\System32\svchost.exe[1456] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 02CC0000
.text C:\WINDOWS\System32\svchost.exe[1456] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 02CC0FCA
.text C:\WINDOWS\System32\svchost.exe[1456] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 02CC001B
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00290F57
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00290056
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00290F7C
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00290039
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00290FA1
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00290F29
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00290F46
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00290EF3
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00290F0E
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002900A7
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00290028
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00290FDE
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00290067
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00290FB2
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00290FC3
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00290082
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00280025
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00280F72
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00280FD4
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00280000
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00280F8D
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00280FEF
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00280FA8
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [48, 88]
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00280FB9
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00270FC5
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00270050
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0027002E
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00270000
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0027003F
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0027001D
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 008E0000
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 008E0095
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 008E007A
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 008E0069
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 008E004E
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 008E0033
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008E00B2
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008E0F6A
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 008E00DE
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008E0F45
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008E00F9
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 008E0FAC
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 008E0FE5
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008E0F7B
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 008E0022
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 008E0011
.text C:\WINDOWS\system32\svchost.exe[1672] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 008E00C3
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 008D0FB9
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 008D0F8D
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyExA

lex200
2009-07-09, 10:07
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 008D000A
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 008D0040
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 008D0FEF
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 008D0F9E
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AD, 88]
.text C:\WINDOWS\system32\svchost.exe[1672] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 008D0025
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 008C0081
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!system 77C293C7 5 Bytes JMP 008C0070
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 008C0044
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_open 77C2F566 5 Bytes JMP 008C0000
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 008C0055
.text C:\WINDOWS\system32\svchost.exe[1672] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 008C0029
.text C:\WINDOWS\system32\svchost.exe[1672] WS2_32.dll!socket 71AB4211 5 Bytes JMP 008B0000
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A60090
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A60F9B
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A60069
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A60058
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A6003D
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A600BE
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A600A1
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A60F25
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A60F40
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A60F14
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A60FB6
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A6001B
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A60F76
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A60FD1
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A6002C
.text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A60F51
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A5001B
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A50051
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A50000
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A50FCA
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A50F94
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A50FA5
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C5, 88]
.text C:\WINDOWS\system32\svchost.exe[1712] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A5002C
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A40F9C
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A40FAD
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A40FE3
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A4000C
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A40FC8
.text C:\WINDOWS\system32\svchost.exe[1712] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A4001D
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A70F61
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A70056
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A70045
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A70F7C
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A70FBC
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A70F29
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A70071
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A700C2
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A700B1
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A700DD
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A70F97
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A70014
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A70F46
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A70FCD
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A70FDE
.text C:\WINDOWS\system32\svchost.exe[1948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A70096
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00810FC0
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00810051
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00810FDB
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00810011
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00810040
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00810000
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00810F9E
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A1, 88]
.text C:\WINDOWS\system32\svchost.exe[1948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00810FAF
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00800FA8
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!system 77C293C7 5 Bytes JMP 0080003D
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00800FCD
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00800000
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00800022
.text C:\WINDOWS\system32\svchost.exe[1948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00800011
.text C:\WINDOWS\system32\svchost.exe[1948] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 007E000A
.text C:\WINDOWS\system32\svchost.exe[1948] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 007E0FEF
.text C:\WINDOWS\system32\svchost.exe[1948] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 007E0025
.text C:\WINDOWS\system32\svchost.exe[1948] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 007E0036
.text C:\WINDOWS\system32\svchost.exe[1948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 007F0000
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 002A0076
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 002A0F77
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 002A0F88
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 002A0FAF
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 002A0047
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002A00A4
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002A0093
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 002A00B5
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002A0F26
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 002A00D0
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 002A0FC0
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 002A001B
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 002A0F5C
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\svchost.exe[2024] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002A0F41
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0029001B
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F9B
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FCA
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290058
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029003D
.text C:\WINDOWS\system32\svchost.exe[2024] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0029002C
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00280FA1
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!system 77C293C7 5 Bytes JMP 00280FB2
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00280011
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00280000
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0028002C
.text C:\WINDOWS\system32\svchost.exe[2024] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00280FD7
.text C:\WINDOWS\system32\svchost.exe[2024] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00270000
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[2448] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0144ED60 C:\Program Files\McAfee\SiteAdvisor\saPlugin.dll
.text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[2448] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation)
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00190FE5
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0019004A
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00190F55
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00190F72
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0019002F
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00190F9E
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00190F30
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0019006C
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00190F15
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001900AE
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001900C9
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00190F83
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00190FD4
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0019005B
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0019000A
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00190FB9
.text C:\WINDOWS\Explorer.EXE[3880] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00190093
.text C:\WINDOWS\Explorer.EXE[3880] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0028002F
.text C:\WINDOWS\Explorer.EXE[3880] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00280080
.text C:\WINDOWS\Explorer.EXE[3880] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00280FDE
.text C:\WINDOWS\Explorer.EXE[3880] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0028000A
.text C:\WINDOWS\Explorer.EXE[3880] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00280065
.text C:\WINDOWS\Explorer.EXE[3880] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00280FEF
.text C:\WINDOWS\Explorer.EXE[3880] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00280054
.text C:\WINDOWS\Explorer.EXE[3880] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00280FC3
.text C:\WINDOWS\Explorer.EXE[3880] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290F9A
.text C:\WINDOWS\Explorer.EXE[3880] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290FAB
.text C:\WINDOWS\Explorer.EXE[3880] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290FCD
.text C:\WINDOWS\Explorer.EXE[3880] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290000
.text C:\WINDOWS\Explorer.EXE[3880] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FBC
.text C:\WINDOWS\Explorer.EXE[3880] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290011
.text C:\WINDOWS\Explorer.EXE[3880] WININET.dll!InternetOpenA 3D95D6C0 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[3880] WININET.dll!InternetOpenW 3D95DB39 5 Bytes JMP 002B001B
.text C:\WINDOWS\Explorer.EXE[3880] WININET.dll!InternetOpenUrlA 3D95F3D4 5 Bytes JMP 002B002C
.text C:\WINDOWS\Explorer.EXE[3880] WININET.dll!InternetOpenUrlW 3D9A6DD7 1 Byte [E9]
.text C:\WINDOWS\Explorer.EXE[3880] WININET.dll!InternetOpenUrlW 3D9A6DD7 5 Bytes JMP 002B0FDB
.text C:\WINDOWS\Explorer.EXE[3880] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01C30000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016383a89f2
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016383a89f2@0016b89a1eac 0xC5 0x25 0xB4 0x29 ...
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0016383a89f2@00162036fc10 0x25 0xEB 0xE5 0x04 ...
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxboultoyxyenxjmsfyxjbaomydcnmpapm.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@imagepath \systemroot\system32\drivers\ovfsthodymrdttptqqcyopdncraawolnojpkfp.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk@inst 0
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@ver icv310309
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@cid 01
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@bid 2021506057-2606577421-1681171435-465083108
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@aid 303431
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@sid 64
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@feed 0x22 0x64 0x78 0x36 ...
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main@cmddelay 14401
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\delete
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\ff
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\ff@extension \\?\C:\Program Files\Mozilla Firefox\extensions\{FAFC72D4-EC82-4882-8FCD-6FF8A40CD6B5}
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\ff@version 1
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\injector
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\injector@iexplore.exe ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\injector@explorer.exe ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\main\tasks
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsth.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsth.sys
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsthlog.dat \systemroot\system32\ovfsthmcdjkfavgutndvntknythwsyiowjmbir.dat
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsthwi.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsthff.dll
Reg HKLM\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk\modules@ovfsth.dat \systemroot\system32\ovfsthrtftbnoctcedyrtjrfvvbymlghbtqenc.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016383a89f2
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016383a89f2@0016b89a1eac 0xC5 0x25 0xB4 0x29 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016383a89f2@00162036fc10 0x25 0xEB 0xE5 0x04 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016383a89f2
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016383a89f2@0016b89a1eac 0xC5 0x25 0xB4 0x29 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0016383a89f2@00162036fc10 0x25 0xEB 0xE5 0x04 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{419CBC81-6C63-B8F0-9287-CBCA5B9F7FA6}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{419CBC81-6C63-B8F0-9287-CBCA5B9F7FA6}@ablgadpineiaodmckkdgdmmnbofcogdiak 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{419CBC81-6C63-B8F0-9287-CBCA5B9F7FA6}@bblgadpineiaodmckkcgcmemjapgggmojdko 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.15 ----

Shaba
2009-07-09, 11:39
We will continue with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
If you need help to disable your protection programs see here. (http://www.bleepingcomputer.com/forums/topic114351.html)

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

lex200
2009-07-09, 12:35
ComboFix 09-07-08.06 - Shez 09/07/2009 10:21.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2546 [GMT 1:00]
Running from: c:\documents and settings\Shez\Desktop\ComboFix.exe
AV: ESET NOD32 antivirus system 2.51 *On-access scanning disabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shez\Application Data\inst.exe
c:\program files\Mozilla Firefox\extensions\{FAFC72D4-EC82-4882-8FCD-6FF8A40CD6B5}
c:\program files\Mozilla Firefox\extensions\{FAFC72D4-EC82-4882-8FCD-6FF8A40CD6B5}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{FAFC72D4-EC82-4882-8FCD-6FF8A40CD6B5}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{FAFC72D4-EC82-4882-8FCD-6FF8A40CD6B5}\install.rdf
c:\windows\Installer\116a7dd.msi
c:\windows\Installer\11b995.msp
c:\windows\Installer\1fbdf.msp
c:\windows\Installer\2121030.msp
c:\windows\Installer\2b00c.msp
c:\windows\Installer\3284dbc.msi
c:\windows\Installer\a887eac.msi
c:\windows\Installer\b291.msi
c:\windows\kb913800.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-04 20:17 . 2009-07-04 20:17 -------- d-----w- c:\program files\XP Codec Pack
2009-06-30 01:47 . 2009-06-30 01:47 -------- d-sh--w- c:\documents and settings\Shez\IECompatCache
2009-06-25 22:50 . 2009-06-25 22:50 -------- d-----w- c:\program files\Secunia
2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-06-16 19:07 . 2009-06-16 19:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-16 18:20 . 2009-06-16 18:20 -------- d-sh--w- c:\documents and settings\Shez\PrivacIE
2009-06-16 18:13 . 2009-06-16 18:13 -------- d-sh--w- c:\documents and settings\Shez\IETldCache
2009-06-16 18:13 . 2009-06-16 18:13 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-16 18:01 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-16 18:01 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-16 18:01 . 2009-06-16 18:01 -------- d-----w- c:\windows\ie8updates
2009-06-16 18:01 . 2009-05-12 05:11 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-16 17:59 . 2009-06-16 18:01 -------- dc-h--w- c:\windows\ie8
2009-06-14 23:48 . 2009-06-14 23:48 -------- d-----w- c:\program files\iPod
2009-06-14 23:38 . 2009-06-14 23:38 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 00:32 . 2007-01-07 18:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-07 23:14 . 2008-12-07 02:37 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-07-05 20:30 . 2008-03-10 21:11 -------- d-----w- c:\program files\SpywareBlaster
2009-07-02 22:26 . 2009-04-06 20:13 -------- d-----w- c:\documents and settings\Shez\Application Data\uTorrent
2009-06-18 21:50 . 2009-04-05 00:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-18 21:50 . 2009-04-10 02:46 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 10:27 . 2009-04-05 00:35 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2009-04-05 00:35 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-16 20:59 . 2007-01-07 18:24 84664 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-16 19:22 . 2007-02-22 00:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-16 19:20 . 2007-01-07 18:20 -------- d-----w- c:\program files\Microsoft Works
2009-06-16 19:20 . 2007-02-22 00:20 -------- d-----w- c:\program files\MSBuild
2009-06-15 00:47 . 2007-07-05 10:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-06-14 23:49 . 2007-01-17 21:21 -------- d-----w- c:\program files\Itunes
2009-06-14 23:48 . 2007-07-05 10:31 -------- d-----w- c:\program files\Common Files\Apple
2009-06-14 23:47 . 2007-05-31 10:02 -------- d-----w- c:\program files\QuickTime
2009-06-07 16:08 . 2007-01-17 21:27 -------- d-----w- c:\documents and settings\Shez\Application Data\Apple Computer
2009-06-05 10:42 . 2009-03-20 11:27 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 10:42 . 2007-11-08 02:50 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-21 12:34 . 2007-06-10 00:18 -------- d-----w- c:\documents and settings\Shez\Application Data\U3
2009-05-20 14:53 . 2009-05-20 14:53 49152 ----a-r- c:\documents and settings\Shez\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA1.exe
2009-05-20 14:53 . 2009-05-20 14:53 49152 ----a-r- c:\documents and settings\Shez\Application Data\Microsoft\Installer\{FCC07EEA-FA18-4A21-9105-9666603C6885}\IconFCC07EEA.exe
2009-05-20 14:53 . 2007-01-07 18:18 -------- d-----w- c:\program files\McAfee
2009-05-13 21:58 . 2009-05-13 21:58 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-05-13 21:58 . 2009-05-13 21:57 -------- d-----w- c:\program files\Linksys Wireless-G USB Wireless Network Monitor
2009-05-13 21:58 . 2007-02-16 16:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-13 21:57 . 2007-01-07 18:12 -------- d-----w- c:\program files\Common Files\InstallShield
2009-05-13 05:15 . 2005-08-16 04:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 15:08 . 2008-02-11 20:10 266400 ----a-r- c:\documents and settings\Shez\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-05-09 00:14 . 2009-05-09 00:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 00:14 . 2007-01-15 16:18 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
2009-05-07 15:32 . 2005-08-16 04:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 04:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2005-08-16 04:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-12 16:16 . 2009-04-12 16:16 8854 ----a-r- c:\documents and settings\Shez\Application Data\Microsoft\Installer\{51AA8C3F-B316-44A8-B371-4BB6047E45DF}\UNINST_Uninstall_W_F8456DC0AC9E42C195467F97E4D2E6AE_1.exe
2009-04-12 16:16 . 2009-04-12 16:16 319488 ----a-r- c:\documents and settings\Shez\Application Data\Microsoft\Installer\{51AA8C3F-B316-44A8-B371-4BB6047E45DF}\wpc2007.exe_51AA8C3FB31644A8B3714BB6047E45DF.exe
2009-04-12 16:16 . 2009-04-12 16:16 319488 ----a-r- c:\documents and settings\Shez\Application Data\Microsoft\Installer\{51AA8C3F-B316-44A8-B371-4BB6047E45DF}\ARPPRODUCTICON.exe
2008-02-03 22:43 . 2007-01-10 19:14 168 --sha-r- c:\windows\system32\B5D7B751F3.sys
2008-02-03 22:43 . 2007-02-17 16:12 5018 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-08-15 282624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\utorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Game.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Ubisoft\\Tom Clancy's H.A.W.X\\HAWX.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Itunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [07/12/2008 03:24 206096]
S2 0151801245870868mcinstcleanup;McAfee Application Installer Cleanup (0151801245870868);c:\windows\TEMP\0151801245870868mcinst.exe c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\0151801245870868mcinst.exe c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\DfSdkS.exe [13/03/2009 21:06 410976]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [06/07/2008 21:55 13352]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/06/2009 13:20 12648]
S3 SQTECH930B;Trust WB-3500T USB2 Webcam;c:\windows\system32\drivers\Capt930b.sys [23/05/2007 12:48 273982]
S3 W35UND;ISSC35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\DRIVERS\W35UND.SYS --> c:\windows\system32\DRIVERS\W35UND.SYS [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AUJASNKJ
*NewlyCreated* - GTNDIS5
*Deregistered* - aujasnkj

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34]

2009-06-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 09:53]

2009-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-02-10 09:53]

2008-12-08 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2007-02-05 23:52]

2008-12-08 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-22 01:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/webhp?hl=en
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\documents and settings\Shez\Application Data\Mozilla\Firefox\Profiles\cysjj9ci.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service





FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.notify.interval - 600000
FF - user.js: content.switch.threshold - 1000000
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: browser.blink_allowed - true
FF - user.js: network.prefetch-next - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: browser.urlbar.autoFill - false
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.urlbar.hideGoButton - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-09 10:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2606577421-1681171435-465083108-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2606577421-1681171435-465083108-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{419CBC81-6C63-B8F0-9287-CBCA5B9F7FA6}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"ablgadpineiaodmckkdgdmmnbofcogdiak"=hex:61,61,00,00
"bblgadpineiaodmckkcgcmemjapgggmojdko"=hex:61,61,00,00
.
Completion time: 2009-07-09 10:25
ComboFix-quarantined-files.txt 2009-07-09 09:25

Pre-Run: 196,212,768,768 bytes free
Post-Run: 196,149,608,448 bytes free

217 --- E O F --- 2009-07-04 17:16



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:47, on 09/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203731462390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0151801245870868) (0151801245870868mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\0151801245870868mcinst.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Advanced Networking Service (hnmsvc) - Unknown owner - C:\Program Files\Dell Network Assistant\hnm_svc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10484 bytes

Shaba
2009-07-09, 13:26
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

lex200
2009-07-09, 13:32
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.2
Adobe® Photoshop® Album Starter Edition 3.0
Adobe® Photoshop® Album Starter Edition 3.0.1
Apple Mobile Device Support
Apple Software Update
Ashampoo WinOptimizer 6.20
ATI Catalyst Control Center
ATI Display Driver
Bonjour
Broadcom Management Programs
Critical Update for Windows Media Player 11 (KB959772)
DivX
Dual-Core Optimizer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Product Assistant
HP Solution Center 7.0
HP Update
iTunes
Java(TM) 6 Update 13
Linksys Wireless-G USB Network Adapter
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Uninstaller
McAfee Virtual Technician
MCU
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (3.0.11)
MSVC80_x86
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser (KB933579)
Nero 7 Ultra Edition
neroxml
OCR Software by I.R.I.S 7.0
PSP ISO Compressor
QuickTime
Secunia PSI
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Spybot - Search & Destroy
SpywareBlaster 4.2
Tom Clancy's H.A.W.X
Tom Clancy's Rainbow Six Vegas 2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Outlook 2007 Junk Email Filter (kb970012)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VCRedistSetup
WD Diagnostics
WebCyberCoach 3.2 Dell
WIDCOMM Bluetooth Software
Windows Imaging Component
Windows Internet Explorer 8
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows Presentation Foundation
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3
WinRAR archiver
WSC Real 09
XP Codec Pack
Your Uninstaller! 2008 Version 6.0

Shaba
2009-07-09, 18:11
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

uTorrent

I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new HJT scan when finished and post the log back here.

lex200
2009-07-10, 01:08
hi shaba i have done as uve asked i also run spybot but the infection is still there i did not fix anything via spybot only run the scan. here is the log you requested




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:06:24, on 09/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/webhp?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2070107
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Phishing Filter - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\PROGRA~1\mcafee\msk\mskapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203731462390
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1180963787375
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: McAfee Application Installer Cleanup (0151801245870868) (0151801245870868mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\0151801245870868mcinst.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Advanced Networking Service (hnmsvc) - Unknown owner - C:\Program Files\Dell Network Assistant\hnm_svc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - Unknown owner - C:\Program Files\Dell Support Center\bin\sprtsvc.exe (file missing)
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 10549 bytes

Shaba
2009-07-10, 08:10
Well then you will need to post next spybot report where that infection shows :)

lex200
2009-07-10, 13:52
--- Report generated: 2009-07-09 12:25 ---

Win32.TDSS.reg: [SBI $48FC2A86] System Service (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ovfsthucvirudxlxhhxgdlktdcugqsbbnquevk


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-20 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-23 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-06-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-06-30 Includes\Malware.sbi (*)
2009-06-30 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-30 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\Trojans.sbi (*)
2009-06-30 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

lex200
2009-07-10, 14:36
ignore the last post as i have scanned it again with the updates and it came back clean

--- Report generated: 2009-07-10 12:35 ---

Congratulations!: No immediate threats were found. (Status)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-03-20 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-07-07 Includes\HijackersC.sbi (*)
2009-06-23 Includes\Keyloggers.sbi (*)
2009-07-07 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-06-30 Includes\Malware.sbi (*)
2009-07-07 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-07-07 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-07-07 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-07-07 Includes\Trojans.sbi (*)
2009-07-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Shaba
2009-07-10, 19:18
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

lex200
2009-07-11, 04:07
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Friday, July 10, 2009 23:22:42
Records in database: 2457893
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 134020
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 02:34:49

No malware has been detected. The scan area is clean.

The selected area was scanned.

Shaba
2009-07-11, 12:12
Good :)

Still problems?

lex200
2009-07-12, 01:06
thanks for you help.:bigthumb:

Shaba
2009-07-12, 12:01
Good :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

Shaba
2009-07-18, 10:16
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.