PDA

View Full Version : Husbands laptop infected, trojans etc. Please HELP!!


taichi
2010-08-14, 16:31
Hi,

My husband's laptop was just now infected with trojans, etc. He always has windows updates and McAfee on and updating, running, etc. His computer started running slower and slower and slower. He ran StopZilla, & it found around 140 things wrong, but he didn't have it fix anything.

I had him install MalwareBytes and he ran that last night and it found some things and deleted them. He also had downloaded but just ran Reg Cure. It found some things and "fixed" them. I had ERUNT downloaded and run a registry backup and had DDS run and am copying the two logs.

His computer is still verrrrrry slow and takes forever for bootup and for any program to run.

Please assist with next steps. Thank you!
Taichi

This is what MalwareBytes found:
Folders Infected:
C:\Program Files\BarQuery (Adware.Zwangi) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{2846F16D-1C5E-4020-A9D5-BED074979E0E}\RP979\A0096553.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\BarQuery\barquery(2).exe (Adware.Zwangi) -> Quarantined and deleted successfully.

** Here's the logs
DDS (Ver_10-03-17.01) - NTFSx86
Run by Edgar at 9:14:11.53 on Sat 08/14/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.473 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe
C:\WINDOWS\eHome\ehRecvr.exe
c:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Server.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Edgar\Application Data\Color_Server_Client_Tools\JRE\JRE1.5\bin\DEX_IC-304V2.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\interwise\participant\pull.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Edgar\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.unitedprintingsolutions.com/home
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [DexStarter_IC-304V2] "c:\documents and settings\edgar\application data\color_server_client_tools\printerdriver\ic-304v2\DexRunner.bat"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pushcl~1.lnk - c:\program files\interwise\participant\pull.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Save Page As PDF ... - file://c:\program files\nitro pdf\pdf download\nitroweb.htm
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {AD9E6088-E00B-42f9-9F0C-8480525D234E} - {FF5073C0-28A0-4223-9BDF-59FF020FE77C}
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1213386700453
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252027171125
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\edgar\applic~1\mozilla\firefox\profiles\y9www687.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2004-11-10 138801]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-6-26 214664]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2004-11-10 46800]
R2 EFI ES1000;EFI ES1000;c:\program files\common files\efi\efi es-1000 service\ES1000Service.exe [2008-12-4 9216]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2010-6-26 203280]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2010-6-26 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2010-6-26 144704]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2008-6-13 231424]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2010-6-26 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-26 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-26 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-6-26 40552]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-22 135664]
S2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-6-16 106586]
S2 McTaskManager;Network Associates Task Manager;c:\program files\network associates\virusscan\VsTskMgr.exe [2003-9-29 69706]
S3 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S3 i1;eye-one;c:\windows\system32\drivers\i1.sys [2008-6-19 26045]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-6-26 34248]

=============== Created Last 30 ================

2010-08-14 02:39:54 0 d-----w- c:\docume~1\edgar\applic~1\Malwarebytes
2010-08-14 02:39:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-14 02:39:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-14 02:39:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-08-14 02:39:35 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 02:28:58 0 d-----w- c:\docume~1\edgar\applic~1\STOPzilla!
2010-08-14 02:09:53 256 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-08-13 21:36:17 3488 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-08-13 21:15:11 0 d-----w- c:\program files\STOPzilla!
2010-08-13 21:15:05 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-08-13 01:47:05 0 d-----w- c:\program files\Conduit
2010-08-13 01:47:00 0 d-----w- c:\program files\Vuze_Remote
2010-08-11 13:05:09 3442 ----a-w- c:\windows\hpbvnstp.his
2010-08-11 13:05:09 1298 ----a-w- c:\windows\hpbvnstp.ini
2010-08-11 13:03:27 9344 ----a-w- c:\windows\system32\drivers\hpfxbulk.sys
2010-08-11 13:03:27 188416 ----a-w- c:\windows\system32\hppcew04.dll
2010-08-11 13:03:27 17024 ----a-w- c:\windows\system32\drivers\hpfxgen.sys
2010-08-11 13:03:14 648 ----a-w- c:\windows\system32\hppapr04.dat
2010-08-11 13:03:14 331776 ----a-w- c:\windows\system32\hppepr04.dll
2010-08-11 13:03:14 241664 ----a-w- c:\windows\system32\hppapr04.dll
2010-08-11 12:50:52 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-08-11 12:50:52 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-08-10 14:32:19 0 d-----w- c:\program files\Dzip
2010-08-01 13:15:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Citrix
2010-08-01 13:11:40 0 d-----w- c:\program files\Citrix
2010-08-01 13:11:13 103784 ----a-w- c:\documents and settings\edgar\GoToAssistDownloadHelper.exe
2010-08-01 12:49:41 0 d-----w- c:\docume~1\edgar\applic~1\McAfee
2010-07-31 21:56:34 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-07-30 20:15:55 0 d-----w- c:\windows\Speeditup Free
2010-07-30 20:15:55 0 d-----w- c:\program files\Speeditup Free
2010-07-24 21:49:15 0 d-----w- c:\program files\Windows Desktop Search
2010-07-24 21:49:14 0 d-----w- c:\windows\system32\GroupPolicy
2010-07-24 21:43:03 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-24 21:43:03 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-24 21:43:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2010-07-24 20:50:08 32656 ----a-w- c:\windows\system32\msonpmon.dll
2010-07-24 20:34:01 0 d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-23 13:10:41 0 d-----w- c:\docume~1\edgar\applic~1\TurboMeeting
2010-07-18 13:39:33 0 d-----w- c:\program files\common files\xing shared
2010-07-18 13:38:36 0 d-----w- c:\program files\common files\Real

==================== Find3M ====================

2010-07-18 13:38:42 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-18 13:38:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-07-15 19:18:22 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27:11 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 07:41:45 1172480 ----a-w- c:\windows\system32\SET55.tmp
2010-05-25 16:00:18 17712 ----a-w- c:\windows\system32\nitrolocalui.dll
2010-05-25 16:00:16 26416 ----a-w- c:\windows\system32\nitrolocalmon.dll

============= FINISH: 9:15:44.57 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/13/2008 1:20:11 PM
System Uptime: 8/14/2010 8:51:19 AM (1 hours ago)

Motherboard: Hewlett-Packard | | 309B
Processor: AMD Turion(tm) 64 Mobile Technology ML-34 | U23 | 1794/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 92 GiB total, 48.962 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP961: 7/29/2010 3:52:46 PM - System Checkpoint
RP962: 7/31/2010 12:41:39 PM - System Checkpoint
RP963: 8/1/2010 8:48:23 AM - Installed McAfee Virtual Technician
RP964: 8/1/2010 1:12:33 PM - RegCure Backup
RP965: 8/2/2010 8:19:08 PM - System Checkpoint
RP966: 8/3/2010 7:10:44 AM - RegCure Backup
RP967: 8/3/2010 7:12:55 AM - Software Distribution Service 3.0
RP968: 8/3/2010 9:01:33 PM - RegCure Backup
RP969: 8/4/2010 9:24:37 PM - RegCure Backup
RP970: 8/6/2010 9:20:16 AM - System Checkpoint
RP971: 8/6/2010 9:14:49 PM - Removed WinZip 12.1
RP972: 8/6/2010 9:23:57 PM - Installed WinZip 14.0
RP973: 8/7/2010 9:18:58 AM - RegCure Backup
RP974: 8/7/2010 9:31:06 AM - Installed ACT! by Sage Premium 2010
RP975: 8/7/2010 9:32:17 AM - Installed ACT! by Sage Premium 2010
RP976: 8/7/2010 9:38:15 AM - Installed ACT! by Sage Premium 2010
RP977: 8/7/2010 9:39:55 AM - Installed ACT! Internet Sync Service
RP978: 8/7/2010 9:40:28 AM - Installed ACT! by Sage Premium 2010
RP979: 8/8/2010 9:31:27 AM - RegCure Backup
RP980: 8/9/2010 11:29:45 AM - System Checkpoint
RP981: 8/10/2010 12:09:50 PM - System Checkpoint
RP982: 8/10/2010 7:19:10 PM - RegCure Backup
RP983: 8/11/2010 10:09:17 PM - System Checkpoint
RP984: 8/12/2010 9:00:52 AM - RegCure Backup
RP985: 8/12/2010 9:19:53 PM - RegCure Backup
RP986: 8/13/2010 8:15:10 AM - RegCure Backup
RP987: 8/13/2010 3:46:35 PM - Software Distribution Service 3.0
RP988: 8/13/2010 5:14:55 PM - Installed STOPzilla. Available with Windows Installer version 1.2 and later.
RP989: 8/13/2010 10:14:19 PM - Installed STOPzilla!
RP990: 8/13/2010 10:18:39 PM - Removed STOPzilla!
RP991: 8/13/2010 10:24:43 PM - Removed STOPzilla. Available with Windows Installer version 1.2 and later.
RP992: 8/13/2010 10:28:01 PM - Installed STOPzilla!
RP993: 8/13/2010 10:33:24 PM - Removed STOPzilla!
RP994: 8/14/2010 8:01:34 AM - RegCure Backup
RP995: 8/14/2010 9:03:26 AM - Software Distribution Service 3.0

==== Installed Programs ======================

Absolute Poker
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Manager 4.1
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
ArcSoft Panorama Maker 4
AT&T Connect Participant
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Broadcom 802.11 Wireless LAN Adapter
BufferChm
Command WorkStation 5.0.0.94f
Compatibility Pack for the 2007 Office system
Conexant AC-Link Audio
Core FTP LE 2.1
CorelDRAW Graphics Suite 12
CP_AtenaShokunin1Config
CP_CalendarTemplates1
cp_LightScribeConfig
cp_OnlineProjectsConfig
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
cp_PosterPrintConfig
cp_UpdateProjectsConfig
CueTour
Destinations
DeviceManagementQFolder
Enfocus PitStop Professional
EonWorkflow™ Dashboard
ERUNT 1.1j
Full Tilt Poker
FullDPAppQFolder
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Help and Support
HP Imaging Device Functions 6.0
HP Photosmart Premier Software 6.0
HP QuickPlay 2.0
HP Rhapsody
HP Software Update
HP User Guides--System Recovery
HP User Guides 0026
HP Wireless Assistant 2.00 C1
InstantShareDevices
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 7
LightScribe 1.4.56.1
LiveUpdate 2.0 (Symantec Corporation)
Malwarebytes' Anti-Malware
McAfee Security Scan Plus
McAfee SecurityCenter
McAfee Virtual Technician
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft English TTS Engine
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Streets & Trips 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Move Networks Media Player for Internet Explorer
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 4.5
Nikon Message Center
Nikon Transfer
Norton Ghost 9.0
OptionalContentQFolder
PDF Settings
PhotoGallery
PokerStars
PrintShop Mail 5.0
Quick Launch Buttons 5.20 G1
QuickTime
RandMap
RealPlayer
REALTEK Gigabit and Fast Ethernet NIC Driver
RealUpgrade 1.0
RegCure 2.0.0.0
Security Update for 2007 Microsoft Office System (KB2277947)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for 2007 Microsoft Office System (KB982312)
Security Update for 2007 Microsoft Office System (KB982331)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office Excel 2007 (KB982308)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office Outlook 2007 (KB980376)
Security Update for Microsoft Office PowerPoint 2007 (KB982158)
Security Update for Microsoft Office Publisher 2007 (KB982124)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2251419)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Siebel Outlook Email Integration On Demand
SkinsHP1
Skype Toolbars
Skype™ 4.2
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sonic_PrimoSDK
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TTS Wrapper
TurboMeeting
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office OneNote 2007 (KB980729)
Update for Outlook 2007 Junk Email Filter (kb2279264)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB982632)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebEx
WebFldrs XP
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live ID Sign-in Assistant
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB894553
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinZip 14.0
Wireless Home Network Setup
XML Paper Specification Shared Components Pack 1.0

==== Event Viewer Messages From Past Week ========

8/9/2010 6:23:24 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.
8/13/2010 9:32:44 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Schedule service.
8/10/2010 8:04:32 AM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
8/10/2010 8:04:31 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
8/10/2010 2:41:28 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {D3580208-D4E1-46D4-876C-B45A328AF25A} to the user EDGAR-5AF5CAE2E\Edgar SID (S-1-5-21-854245398-1284227242-725345543-1003). This security permission can be modified using the Component Services administrative tool.
8/10/2010 2:08:25 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000000D' while processing the file 'BOOT.INI' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.

==== End Of File ===========================
ken545
2010-08-21, 03:44
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.


Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.






Download OTS.exe (http://oldtimer.geekstogo.com/OTS.exe) by OldTimer to your Desktop.
Close any open browsers.
Double-click on OTS.exe to start the program.
Leave all settings as they appear as default, except for the following:
Under Drivers, select "All".
Under Additional Scans, click on the "Extra" button.

Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).
taichi
2010-08-22, 17:39
Thank you for helping!
Should I run DDS for a new log before or after the GMER and OTE?
ken545
2010-08-22, 18:23
Hi,

No , just run GMER and the OTS, the programs will show me what I need, these at this point wont remove anything but I need to see the reports
taichi
2010-08-22, 19:55
Thanks for explanation.
Gmer is running, seems like will take a while. I'll post results later today/tonight after done with both programs.
ken545
2010-08-22, 20:29
GMER can take awhile but will show if a rootkit type of infection is present. If it quits or stalls and you cant run it, then just run OTS, that scan wont take long
taichi
2010-08-22, 22:31
Gmer took a long time. Pasted below.
I will run the other one next. Thanks again!

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-22 15:24:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Edgar\LOCALS~1\Temp\afnyrfod.sys


---- System - GMER 1.0.15 ----

SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D70D1]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70D1] ZwCreateKey [0x804D70D1]
SSDT \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D70D6]
SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D70D6] ZwOpenKey [0x804D70D6]

INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70DB

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xED76778A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xED767738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xED76774C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xED76783F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xED76786B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xED7678D9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xED7678C3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xED7677CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xED767905]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xED767710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xED767724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xED76779E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xED767941]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xED7678AD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xED767897]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xED767855]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xED76792D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xED767919]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xED767776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xED767762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xED767881]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xED7677F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xED7678EF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xED7677E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xED7677B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050225C 7 Bytes JMP ED7677B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2EE 5 Bytes JMP ED76778E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A74F0 7 Bytes JMP ED7677CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8306 5 Bytes JMP ED7677E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA88 7 Bytes JMP ED7677A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1316 5 Bytes JMP ED767714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15A2 5 Bytes JMP ED767728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DD4 5 Bytes JMP ED767766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73EA 7 Bytes JMP ED767750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74A0 5 Bytes JMP ED76773C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79AA 5 Bytes JMP ED76777A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CAA 5 Bytes JMP ED7677FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 80618568 7 Bytes JMP ED76789B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 806188B6 7 Bytes JMP ED767885 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80618BE0 7 Bytes JMP ED7678F3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80619492 7 Bytes JMP ED7678B1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 80619D66 7 Bytes JMP ED767859 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 8061A7E0 7 Bytes JMP ED767843 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 8061A9B0 7 Bytes JMP ED76786F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB90 7 Bytes JMP ED7678DD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8061ADFA 7 Bytes JMP ED7678C7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 8061BA64 7 Bytes JMP ED767945 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8061BD24 5 Bytes JMP ED76791D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8061C418 5 Bytes JMP ED767931 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 8061C532 5 Bytes JMP ED767909 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF672EEBF]
.text C:\WINDOWS\system32\DRIVERS\aksfridge.sys section is writeable [0xEB0CC000, 0x48011, 0xE0000020]
.init C:\WINDOWS\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0xEB121224]
.init C:\WINDOWS\system32\DRIVERS\aksfridge.sys unknown last code section [0xEB121000, 0x4000, 0xE20000E0]
.text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xEDFE0400, 0x6E1B2, 0xE8000020]
.protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xEE06A220] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xEE06A220]
.protectÿÿÿÿhardlockunknown last code section [0xEE06A000, 0x50EA, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xEE06A000, 0x50EA, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F22
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F33
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F50
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F6B
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F97
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0EF6
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0032
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0085
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0074
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0ED1
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0F7C
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F11
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FB2
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\System32\svchost.exe[332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A004F
.text C:\WINDOWS\System32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290047
.text C:\WINDOWS\System32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0029008E
.text C:\WINDOWS\System32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290036
.text C:\WINDOWS\System32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029001B
.text C:\WINDOWS\System32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290073
.text C:\WINDOWS\System32\svchost.exe[332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\System32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290062
.text C:\WINDOWS\System32\svchost.exe[332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FDB
.text C:\WINDOWS\System32\svchost.exe[332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0031
.text C:\WINDOWS\System32\svchost.exe[332] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FA6
.text C:\WINDOWS\System32\svchost.exe[332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FC1
.text C:\WINDOWS\System32\svchost.exe[332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\System32\svchost.exe[332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0016
.text C:\WINDOWS\System32\svchost.exe[332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FDE
.text C:\WINDOWS\System32\svchost.exe[332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0000
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01F9000A
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01F90F77
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01F9006C
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01F90F9E
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01F90FB9
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01F90040
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01F900A9
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01F90098
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01F900D8
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01F90F35
.text
taichi
2010-08-22, 22:33
C:\WINDOWS\Explorer.EXE[668] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01F90F24
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01F9005B
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01F90FEF
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01F90087
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01F90FD4
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01F90025
.text C:\WINDOWS\Explorer.EXE[668] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01F90F46
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01F8002C
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01F80F80
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01F80FD1
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01F80011
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01F8003D
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01F80000
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01F80F9B
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [18, 8A]
.text C:\WINDOWS\Explorer.EXE[668] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01F80FB6
.text C:\WINDOWS\Explorer.EXE[668] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01F60F9C
.text C:\WINDOWS\Explorer.EXE[668] msvcrt.dll!system 77C293C7 5 Bytes JMP 01F60FB7
.text C:\WINDOWS\Explorer.EXE[668] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01F60027
.text C:\WINDOWS\Explorer.EXE[668] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01F60000
.text C:\WINDOWS\Explorer.EXE[668] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01F60FC8
.text C:\WINDOWS\Explorer.EXE[668] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01F60FE3
.text C:\WINDOWS\Explorer.EXE[668] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01EA0FEF
.text C:\WINDOWS\Explorer.EXE[668] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01EA0FDE
.text C:\WINDOWS\Explorer.EXE[668] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01EA0014
.text C:\WINDOWS\Explorer.EXE[668] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01EA0FC3
.text C:\WINDOWS\Explorer.EXE[668] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01ED0FEF
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 010F000A
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010F0087
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010F006C
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 010F0F94
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 010F0051
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 010F0FB9
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010F0F57
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 010F00A9
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 010F0F1A
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010F0F35
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010F00CE
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 010F0040
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 010F001B
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010F0098
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 010F0FD4
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 010F0FE5
.text C:\WINDOWS\system32\services.exe[1056] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010F0F46
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010E002F
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010E006F
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010E0FDE
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010E0FEF
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010E0FB2
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010E0000
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 010E0FCD
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [2E, 89]
.text C:\WINDOWS\system32\services.exe[1056] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010E0054
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FF003A
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FF0029
.text C:\WINDOWS\system32\services.exe[1056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FF0018
.text C:\WINDOWS\system32\services.exe[1056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED0F79
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED006E
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED0F94
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0051
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0FB9
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED00B5
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED00A4
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED0F2D
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED00D0
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00ED0F1C
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00ED0040
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00ED0FDE
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00ED0089
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00ED0025
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00ED0014
.text C:\WINDOWS\system32\lsass.exe[1068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00ED0F52
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EC0025
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EC0065
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EC000A
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EC0FA8
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00EC0FB9
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0C, 89] {OR AL, 0x89}
.text C:\WINDOWS\system32\lsass.exe[1068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EC004A
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB0049
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB0038
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB0FD2
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB000C
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB001D
.text C:\WINDOWS\system32\lsass.exe[1068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB0FE3
.text C:\WINDOWS\system32\lsass.exe[1068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF000A
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02430000
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02430F57
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02430F72
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02430F83
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02430F94
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02430FC0
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02430F15
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02430067
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02430EF0
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02430089
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 024300A4
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02430FA5
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02430011
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02430F3C
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02430036
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02430FDB
.text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02430078
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02420036
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02420F9E
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02420025
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02420014
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0242005B
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02420FEF
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02420FAF
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [62, 8A]
.text C:\WINDOWS\system32\svchost.exe[1232] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02420FCA
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0241004E
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!system 77C293C7 5 Bytes JMP 02410FCD
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0241002C
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02410000
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0241003D
.text C:\WINDOWS\system32\svchost.exe[1232] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02410011
.text C:\WINDOWS\system32\svchost.exe[1232] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F92
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10FA3
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10FCA
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10FDB
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D10058
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D100AE
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F66
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D100EB
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D100DA
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D100FC
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D1007D
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D1001B
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F77
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10047
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10036
.text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100C9
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D00FBC
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D00FA1
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D00FCD
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D00FDE
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D0005E
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00D00043
.text C:\WINDOWS\system32\svchost.exe[1332] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D00032
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CF0FAB
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CF0FBC
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CF001B
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CF002C
.text C:\WINDOWS\system32\svchost.exe[1332] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CF0FE3
.text C:\WINDOWS\system32\svchost.exe[1332] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CE0000
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03510000
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03510F72
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03510F8D
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03510F9E
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03510FB9
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03510051
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03510F3A
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03510F4B
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 035100BF
.text
taichi
2010-08-22, 22:33
C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 035100AE
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03510F15
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03510FCA
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 03510FEF
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 03510082
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03510040
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0351002F
.text C:\WINDOWS\System32\svchost.exe[1372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0351009D
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03440FA8
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03440F97
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03440FB9
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 03440FD4
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0344004A
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03440FE5
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 03440039
.text C:\WINDOWS\System32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03440014
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03430FCF
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 0343005A
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0343002E
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03430000
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03430049
.text C:\WINDOWS\System32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 03430011
.text C:\WINDOWS\System32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03420FEF
.text C:\WINDOWS\System32\svchost.exe[1372] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0341000A
.text C:\WINDOWS\System32\svchost.exe[1372] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 03410FE5
.text C:\WINDOWS\System32\svchost.exe[1372] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 03410FD4
.text C:\WINDOWS\System32\svchost.exe[1372] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 03410025
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780000
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780062
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00780051
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00780F83
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780040
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780FA8
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F35
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780F52
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780EFF
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780F1A
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007800B3
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0078002F
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FEF
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780073
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FB9
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780FD4
.text C:\WINDOWS\system32\svchost.exe[1412] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00780098
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00770FB9
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770F68
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FD4
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00770FE5
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770F83
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770000
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00770F9E
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [97, 88]
.text C:\WINDOWS\system32\svchost.exe[1412] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770025
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0076005F
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760FCA
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760FE5
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0076003A
.text C:\WINDOWS\system32\svchost.exe[1412] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0076001D
.text C:\WINDOWS\system32\svchost.exe[1412] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0089
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F94
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0FA5
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0058
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF00DC
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF00B5
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF00F7
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF0F5E
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0112
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF001B
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF00A4
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0FCA
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\system32\svchost.exe[1528] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F79
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE0065
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0FD4
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE000A
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE004A
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FB2
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]
.text C:\WINDOWS\system32\svchost.exe[1528] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE0039
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD005D
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0042
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0016
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD0027
.text C:\WINDOWS\system32\svchost.exe[1528] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0FD2
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00BB0000
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00BB0011
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00BB002C
.text C:\WINDOWS\system32\svchost.exe[1528] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00BB0FDB
.text C:\WINDOWS\system32\svchost.exe[1528] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009D0F8D
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009D0F9E
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009D006C
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009D005B
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009D0FC3
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009D00AE
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009D0093
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009D0F3A
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009D0F4B
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009D0F1F
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009D004A
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009D0FD4
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009D0F68
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009D002F
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009D0014
.text C:\WINDOWS\system32\svchost.exe[1560] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009D00C9
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009C0FB2
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009C0F7C
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009C0FCD
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009C0FDE
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009C0F8D
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009C002F
.text C:\WINDOWS\system32\svchost.exe[1560] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009C001E
.text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009B0F92
.text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!system 77C293C7 5 Bytes JMP 009B0FAD
.text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009B001D
.text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009B0000
.text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009B0FBE
.text C:\WINDOWS\system32\svchost.exe[1560] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009B0FE3
.text C:\WINDOWS\system32\svchost.exe[1560] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006C0000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2084] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2084] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0089
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0078
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0067
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A004A
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F6F
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00B5
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F43
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A00D2
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00ED
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0025
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDB
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A00A4
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FC0
.text C:\WINDOWS\system32\dllhost.exe[2348] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0F54
.text C:\WINDOWS\system32\dllhost.exe[2348] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00290FA8
.text C:\WINDOWS\system32\dllhost.exe[2348] msvcrt.dll!system 77C293C7 5 Bytes JMP 00290033
.text C:\WINDOWS\system32\dllhost.exe[2348] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00290018
.text C:\WINDOWS\system32\dllhost.exe[2348] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\dllhost.exe[2348] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00290FB9
.text C:\WINDOWS\system32\dllhost.exe[2348] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00290FDE
.text C:\WINDOWS\system32\dllhost.exe[2348] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0FD4
.text C:\WINDOWS\system32\dllhost.exe[2348] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0051
.text C:\WINDOWS\system32\dllhost.exe[2348] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0025
.text C:\WINDOWS\system32\dllhost.exe[2348] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A000A
.text C:\WINDOWS\system32\dllhost.exe[2348] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0F94
.text C:\WINDOWS\system32\dllhost.exe[2348] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\dllhost.exe[2348] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002A0FAF
.text C:\WINDOWS\system32\dllhost.exe[2348] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4A, 88]
.text C:\WINDOWS\system32\dllhost.exe[2348] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0036
.text C:\WINDOWS\system32\dllhost.exe[2348] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006E0000
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0071
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F7C
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F97
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0054
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FC3
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA009F
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA0F57
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00D5
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00C4
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BA00FA
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BA0FB2
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BA0082
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BA0FD4
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\svchost.exe[2472] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BA0F46
.text C:\WINDOWS\system32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B90011
.text C:\WINDOWS\system32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B90F6C
.text C:\WINDOWS\system32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B90033
.text C:\WINDOWS\system32\svchost.exe[2472] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B90022
.text C:\WINDOWS\system32\svchost.exe[2472] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B90F9B
.text C:\WINDOWS\system32\svchost.exe[2472] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80036
.text C:\WINDOWS\system32\svchost.exe[2472] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80FAB
.text C:\WINDOWS\system32\svchost.exe[2472] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FD7
.text C:\WINDOWS\system32\svchost.exe[2472] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[2472] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FBC
.text C:\WINDOWS\system32\svchost.exe[2472] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[2472] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70FE5

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat PQV2i.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----
ken545
2010-08-22, 22:50
If you have not started the OTS scan then hang off a bit and lets run this program


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
taichi
2010-08-22, 22:56
I have to break the log into parts, because it exceeds forum limit. Having problem getting it to upload even in smaller pieces. I'll be back
taichi
2010-08-22, 23:03
The OTS file is about 400k. I tried to use winzip, got a blue screen and computer restarted. I think this will take about 4 attachments? Unless you want me to try to copy/paste it?
Thanks!
taichi
2010-08-22, 23:05
I'm sorry I did not see your reply about combo fix. I will download run it next instead. It will probably be tomorrow before I can post the results, though.
Thanks for everything.
Taichi
ken545
2010-08-22, 23:54
Lets forget that for the moment and look back in my previous reply and run Combofix
taichi
2010-08-24, 00:50
Here's combofix log. Thank you for helping!

ComboFix 10-08-21.06 - Edgar 08/23/2010 17:35:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1278.638 [GMT -4:00]
Running from: c:\documents and settings\Edgar\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Edgar\Favorites\Kaspersky Online Scanner 7.0.url
c:\documents and settings\Edgar\Favorites\Paper Calculator v2.0.url
c:\documents and settings\Edgar\Favorites\vuze The most powerful bittorrent client in the world..url
c:\documents and settings\Edgar\GoToAssistDownloadHelper.exe
c:\documents and settings\Edgar\System
c:\documents and settings\Edgar\System\win_qs8.jqx
C:\LOG54.tmp
c:\windows\jestertb.dll

.
((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-20 16:15 . 2010-08-20 16:15 -------- d-----w- C:\DodgePlans
2010-08-18 01:14 . 2010-08-18 01:14 503808 ----a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23507f48-n\msvcp71.dll
2010-08-18 01:14 . 2010-08-18 01:14 499712 ----a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23507f48-n\jmc.dll
2010-08-18 01:14 . 2010-08-18 01:14 348160 ----a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-23507f48-n\msvcr71.dll
2010-08-18 01:14 . 2010-08-18 01:14 61440 ----a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-125e1f6c-n\decora-sse.dll
2010-08-18 01:14 . 2010-08-18 01:14 12800 ----a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-125e1f6c-n\decora-d3d.dll
2010-08-16 13:46 . 2010-08-16 13:46 -------- d-----w- c:\documents and settings\Edgar\XES
2010-08-16 13:43 . 2010-08-16 13:45 -------- d-----w- c:\program files\AccXES
2010-08-16 13:43 . 2010-08-16 13:43 -------- d--h--w- c:\program files\Zero G Registry
2010-08-16 13:43 . 2010-08-16 13:43 -------- d--h--w- c:\documents and settings\Edgar\InstallAnywhere
2010-08-14 23:37 . 2010-08-14 23:37 -------- d-----w- c:\windows\system32\LogFiles
2010-08-14 22:17 . 2010-08-14 22:17 -------- d-----w- c:\program files\CCleaner
2010-08-14 18:32 . 2010-08-14 18:32 -------- d-----w- c:\program files\ESET
2010-08-14 13:08 . 2010-08-14 13:09 -------- d-----w- c:\program files\ERUNT
2010-08-14 02:39 . 2010-08-14 02:39 -------- d-----w- c:\documents and settings\Edgar\Application Data\Malwarebytes
2010-08-14 02:39 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-14 02:39 . 2010-08-14 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-14 02:39 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-14 02:39 . 2010-08-14 02:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-14 02:28 . 2010-08-14 02:28 -------- d-----w- c:\documents and settings\Edgar\Application Data\STOPzilla!
2010-08-13 21:26 . 2010-08-13 21:18 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-08-13 21:15 . 2010-08-14 02:33 -------- d-----w- c:\program files\STOPzilla!
2010-08-13 21:15 . 2010-08-14 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-08-13 01:49 . 2010-08-13 01:49 310208 ----a-w- c:\documents and settings\Edgar\Application Data\Azureus\plugins\mlab\ShaperProbeC.exe
2010-08-13 01:47 . 2010-08-13 01:47 -------- d-----w- c:\documents and settings\Edgar\Local Settings\Application Data\Conduit
2010-08-13 01:47 . 2010-08-13 01:47 -------- d-----w- c:\program files\Conduit
2010-08-13 01:47 . 2010-08-14 12:51 -------- d-----w- c:\program files\Vuze_Remote
2010-08-11 13:04 . 2010-08-11 13:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-08-11 13:03 . 2007-01-25 17:24 286208 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpzpp4wm.dll
2010-08-11 13:03 . 2007-02-15 00:23 188416 ----a-w- c:\windows\system32\hppcew04.dll
2010-08-11 13:03 . 2006-04-04 21:20 9344 ----a-w- c:\windows\system32\drivers\hpfxbulk.sys
2010-08-11 13:03 . 2006-04-04 21:19 17024 ----a-w- c:\windows\system32\drivers\hpfxgen.sys
2010-08-11 13:03 . 2007-02-22 18:53 331776 ----a-w- c:\windows\system32\hppepr04.dll
2010-08-11 13:03 . 2006-08-31 21:20 648 ----a-w- c:\windows\system32\hppapr04.dat
2010-08-11 13:03 . 2006-08-21 21:45 241664 ----a-w- c:\windows\system32\hppapr04.dll
2010-08-11 12:50 . 2008-04-14 04:17 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-08-11 12:50 . 2008-04-14 04:17 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-08-10 14:32 . 2010-08-10 14:32 -------- d-----w- c:\program files\Dzip
2010-08-01 13:15 . 2010-08-01 13:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2010-08-01 13:11 . 2010-08-01 13:11 -------- d-----w- c:\program files\Citrix
2010-08-01 13:11 . 2010-08-01 13:11 -------- d-----w- c:\documents and settings\Edgar\Local Settings\Application Data\Citrix
2010-08-01 12:51 . 2010-08-01 12:50 300384 ----a-w- c:\documents and settings\Edgar\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2010-08-01 12:50 . 2010-08-01 12:50 300384 ----a-w- c:\documents and settings\All Users\Application Data\McAfee\Supportability\Content\MVT\XMLFiles\detect.dll
2010-08-01 12:49 . 2010-08-01 12:49 -------- d-----w- c:\documents and settings\Edgar\Application Data\McAfee
2010-07-31 22:14 . 2010-07-31 22:27 -------- d-----w- c:\program files\RegCure
2010-07-31 21:56 . 2010-07-31 22:14 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-07-30 20:15 . 2010-07-30 23:58 -------- d-----w- c:\program files\Speeditup Free
2010-07-30 20:15 . 2010-07-30 20:15 -------- d-----w- c:\windows\Speeditup Free
2010-07-24 21:55 . 2010-07-24 21:55 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-07-24 21:49 . 2010-07-24 23:56 -------- d-----w- c:\program files\Windows Desktop Search
2010-07-24 21:49 . 2010-07-24 21:49 -------- d-----w- c:\windows\system32\GroupPolicy
2010-07-24 21:43 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2010-07-24 21:43 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2010-07-24 21:43 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-23 19:31 . 2008-06-18 23:27 -------- d-----w- c:\program files\Absolute Poker
2010-08-22 21:49 . 2008-07-26 01:12 -------- d-----w- c:\program files\PokerStars
2010-08-22 12:27 . 2008-07-18 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-08-21 10:42 . 2008-06-13 19:05 344040 -c--a-w- c:\documents and settings\Edgar\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-19 17:28 . 2010-06-26 14:48 -------- d-----w- c:\program files\McAfee
2010-08-18 00:24 . 2010-07-08 14:18 -------- d-----w- c:\documents and settings\Edgar\Application Data\Skype
2010-08-17 20:00 . 2010-07-08 14:23 -------- d-----w- c:\documents and settings\Edgar\Application Data\skypePM
2010-08-14 13:06 . 2010-07-24 20:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-14 12:49 . 2010-04-27 01:55 -------- d-----w- c:\program files\Vuze
2010-08-14 12:49 . 2010-04-27 01:56 -------- d-----w- c:\documents and settings\Edgar\Application Data\Azureus
2010-08-14 02:09 . 2010-08-14 02:09 256 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-08-14 01:48 . 2010-08-13 21:36 3488 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-08-10 00:09 . 2008-06-20 23:56 -------- d-----w- c:\program files\Full Tilt Poker
2010-08-07 01:25 . 2010-06-20 15:41 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2010-08-04 22:43 . 2010-06-26 15:15 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-08-01 12:48 . 2009-08-04 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-08-01 00:11 . 2010-04-27 01:55 -------- d-----w- c:\program files\Bing Bar Installer
2010-08-01 00:11 . 2010-06-20 15:39 -------- d-----w- c:\program files\Microsoft
2010-07-25 00:51 . 2008-08-05 17:06 -------- d-----w- c:\program files\Common Files\EPSON
2010-07-25 00:35 . 2008-07-14 14:37 -------- d-----w- c:\program files\Apple Software Update
2010-07-25 00:23 . 2010-07-24 20:46 -------- d-----w- c:\program files\Microsoft Works
2010-07-25 00:21 . 2008-08-05 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\EPSON
2010-07-24 20:46 . 2009-09-04 01:15 -------- d-----w- c:\program files\MSBuild
2010-07-24 20:43 . 2010-07-24 20:43 -------- d-----w- c:\program files\Microsoft.NET
2010-07-24 20:34 . 2010-07-24 20:34 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2010-07-18 13:54 . 2008-07-14 14:37 -------- d-----w- c:\program files\QuickTime
2010-07-18 13:53 . 2010-07-18 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-18 13:40 . 2010-07-18 13:40 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-07-18 13:40 . 2010-07-18 13:40 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-07-18 13:40 . 2010-07-18 13:40 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-07-18 13:40 . 2010-07-18 13:40 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-07-18 13:40 . 2010-07-18 13:40 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-07-18 13:40 . 2010-07-18 13:40 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-07-18 13:40 . 2010-07-18 13:40 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-07-18 13:40 . 2010-07-18 13:40 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-07-18 13:40 . 2010-07-18 13:40 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-07-18 13:40 . 2010-07-18 13:38 -------- d-----w- c:\program files\Common Files\Real
2010-07-18 13:39 . 2010-07-18 13:38 -------- d-----w- c:\program files\Real
2010-07-18 13:39 . 2010-07-18 13:39 -------- d-----w- c:\program files\Common Files\xing shared
2010-07-18 13:38 . 2003-03-19 02:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-07-18 13:38 . 2003-02-21 10:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-07-15 19:18 . 2010-06-26 14:50 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2010-07-08 14:24 . 2010-07-08 14:24 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-07-08 14:17 . 2010-07-08 14:16 -------- d-----r- c:\program files\Skype
2010-07-08 14:17 . 2010-07-08 14:17 -------- d-----w- c:\program files\Common Files\Skype
2010-07-08 14:16 . 2010-07-08 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-06-30 12:31 . 2004-08-10 20:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-26 14:54 . 2010-06-26 14:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-06-26 14:50 . 2010-06-26 14:49 -------- d-----w- c:\program files\Common Files\McAfee
2010-06-26 14:49 . 2010-06-26 14:49 -------- d-----w- c:\program files\McAfee.com
2010-06-26 14:07 . 2010-06-26 14:07 -------- d-----w- c:\documents and settings\LocalService\Application Data\McAfee
2010-06-26 14:07 . 2010-06-23 13:31 -------- d-----w- c:\program files\McAfee Security Scan
2010-06-24 12:22 . 2004-08-10 20:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-10 20:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-22 23:45 . 2010-06-22 23:45 501936 ----a-w- c:\documents and settings\All Users\Application Data\Google\Google Toolbar\Update\gtbB1.tmp.exe
2010-06-21 15:27 . 2004-08-10 20:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-10 20:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-06-13 17:13 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-10 20:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-13 18:59 . 2010-06-13 19:00 53632 ----a-w- c:\documents and settings\Edgar\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-06-12 02:35 . 2010-06-12 02:35 40 -c--a-w- c:\windows\efi_del.bat
2010-05-26 01:14 . 2010-05-26 01:14 503808 -c--a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-24e1c6f0-n\msvcp71.dll
2010-05-26 01:14 . 2010-05-26 01:14 499712 -c--a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-24e1c6f0-n\jmc.dll
2010-05-26 01:14 . 2010-05-26 01:14 348160 -c--a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-24e1c6f0-n\msvcr71.dll
2010-05-26 01:14 . 2010-05-26 01:14 61440 -c--a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6f6b3f23-n\decora-sse.dll
2010-05-26 01:14 . 2010-05-26 01:14 12800 -c--a-w- c:\documents and settings\Edgar\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-6f6b3f23-n\decora-d3d.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-01 39408]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-13 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-09-15 1015808]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-02 344064]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-08-01 233534]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-13 507904]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Edgar\\Application Data\\Color_Server_Client_Tools\\JRE\\JRE1.5\\bin\\DEX_IC-304V2.EXE"=
"c:\\Program Files\\Fiery\\Applications3\\Command WorkStation 5\\Contents\\WinOS\\cws.exe"=
"c:\\Program Files\\Fiery\\Applications3\\Common Files\\EFI\\Impose3\\pdfserver.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24654:UDP"= 24654:UDP:Enfocus Port
"1947:TCP"= 1947:TCP:HASP SRM
"1947:UDP"= 1947:UDP:HASP SRM
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [11/10/2004 10:30 AM 138801]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [11/10/2004 10:49 AM 46800]
R2 EFI ES1000;EFI ES1000;c:\program files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe [12/4/2008 10:20 AM 9216]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/26/2010 10:53 AM 88176]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/13/2008 1:53 PM 231424]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/22/2010 10:53 AM 135664]
S3 hasplms;HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S3 i1;eye-one;c:\windows\system32\drivers\i1.sys [6/19/2008 5:48 PM 26045]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
.
Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-01 09:37]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-22 14:52]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-22 14:52]

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-26 16:22]

2010-08-21 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-06-26 16:22]

2010-08-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-854245398-1284227242-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-08-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-854245398-1284227242-725345543-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-03 07:02]

2010-08-15 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 22:13]

2010-08-15 c:\windows\Tasks\RegCure Startup.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 22:13]

2010-08-15 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2009-09-21 22:13]

2010-08-23 c:\windows\Tasks\User_Feed_Synchronization-{A80AC0D4-B61D-4B77-B50B-7D2875F14696}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.unitedprintingsolutions.com/home
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: Save Page As PDF ... - file://c:\program files\Nitro PDF\PDF Download\nitroweb.htm
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
FF - ProfilePath - c:\documents and settings\Edgar\Application Data\Mozilla\Firefox\Profiles\y9www687.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=VUZTDF&PC=VUZE&q=
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-23 17:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?7?2?4??@???? ???B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1004)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-08-23 17:43:51
ComboFix-quarantined-files.txt 2010-08-23 21:43

Pre-Run: 49,695,580,160 bytes free
Post-Run: 49,727,610,880 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - 6AE38A3D6CDBCB891336D5117E4818EA
ken545
2010-08-24, 01:19
Hi,

I see a couple of bad files need to go but before we remove them lets run Malwarebytes and see if that gets them

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.




Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
taichi
2010-08-24, 02:23
ATF done and Malawarebytes, too. Malaware did not find anything. Log is below.

Also, before the ATF & Malaware bytes was run, McAfee came on and said it discovered and deleted a trojan called "Artemis....(lots of numbers/alpha) in combofixe.exe.
McAfee may have deleted combofix, so if needed i will have to redownload it.

Thank you.



mbam log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4467

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/23/2010 7:13:54 PM
mbam-log-2010-08-23 (19-13-54).txt

Scan type: Quick scan
Objects scanned: 138872
Time elapsed: 14 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
ken545
2010-08-24, 02:48
Actually after researching those files they may have been created when you made some sort of configuration change.

RegCure <- Unless your a windows expert you should not be playing around with any registry cleaners, remove unneeded entries and you will see no difference in system performance, remove the wrong entry or entries ( and legit programs sometimes do ) and you can wind up using your computer for a doorstop.

Everything looks ok, run this free online virus scanner and lets see if it picks something up the other scans may have missed.

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
taichi
2010-08-24, 03:01
My husband installed the "reg cure" program and may have run it before problems started, or after...I'm not sure. But, neither one of us are experts by any stretch of imagination! If you think we should remove it, please tell me how you think is best to remove it completely. Thanks!

I will go have the eset online scanner run. Thanks again!!
-tai
taichi
2010-08-24, 03:06
Probably a dumb question, but... am I supposed to disable McAfee firewall and virus scan while the eset scanner is running?
Thanks!
ken545
2010-08-24, 03:08
RegCure, thats totally up to you. Been in computing for many years and never really had any use for a reg cleaner. I cant tell you how many people have posted in the past with all kinds of problems and I look at there logs and they have a few reg cleaners installed and run them quite often.

When were done I can show you how to remove a reg entry when you uninstall a program for a clean uninstall.
ken545
2010-08-24, 03:20
Sorry, missed your post about disabling your AV, yes you should

You have McAfee installed

Look here for instuctions
http://www.bleepingcomputer.com/forums/topic114351.html
taichi
2010-08-24, 05:15
I ran the Eset online scanner. Here is the copy of results log.
Thank you for assistance.

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=798f9f5863503c42805d8a72977bba42
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-24 01:51:20
# local_time=2010-08-23 09:51:20 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 16776869 100 96 1836891 34617819 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=206224
# found=0
# cleaned=0
# scan_time=5585
ken545
2010-08-24, 10:18
Looks ok. This is what we have done so far, running GMER checks for a rootkit, this is an infection that hides from the operating system and most scanners and the report came back ok. Combofix removed a few things, none really earth shattering, Malwarebytes and ESET both come back clean so I feel at this point if your computer is still slow it most likely is a software, hardware or a windows issue. If you like I can link you to a site we work closely with and you can post in there windows forum for help. They can help you sort out your programs and ones that start up and possibly improve the performance of your system.

http://forums.whatthetech.com/index.php?showforum=119
Like Safer this forum is free but you will need to register .

You can also link them to this thread if you wish so they can see what we have done .

Ken :)
taichi
2010-08-24, 14:07
So everything looks clean now? That would be great!

If you could give instructions on removing the RegCure, that would be helpful, as well. Thank you so much!
ken545
2010-08-24, 14:13
You should be able to remove it via Add Remove Programs in the Control Panel

Go To Start> Control Panel> Add Remove Programs and look for RegCure and uninstall it.

GMER <--Drag it to the trash

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can damage your system


Click START then RUN
Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i526.photobucket.com/albums/cc345/MPKwings/CF-Uninstall.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.





Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.






How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

WinPatrol (www.winpatrol.com/download.html) Keep this fine program activated to block a lot of threats

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken
taichi
2010-08-24, 14:56
Okay, I will do try to remove gmer through control panel, and do the clean up things you listed tonight after work.

About the Kaspersky and eset scanner... should I leave them or will the OTC remove them?

Would you please keep this topic thread open for a little bit longer, in case I run into problems when cleaning tonight and tomorrow. Thank you.

After that I will post in the other forum about the computer slowness and link back here to see if they can help.

Thanks again for all your help!
TaiChi
http://forums.spybot.info/images/smilies/thanks.gif
ken545
2010-08-24, 15:15
Okay, I will do try to remove gmer through control panel
You mean RegCure

OTC will remove GMER

As far as the online scans you can just delete them

I will keep this thread open for you for a few days in case you need help