also @ TechSpot: Microsoft wants Xbox to be the entertainment hub for all your devices

TechSpot

TechSpot News Products Downloads Forums

Register now for a live online demo to see how the Office 365 suite of tools
- professional email, calendars, video conferencing, and file sharing -

[Solved] I cannot get windowsupdate to work, error code 80070422

Discussion in 'Virus and Malware Removal' started by sjf3, Apr 3, 2011.

Thread Status:: Not open for further replies.

Page 1 of 2

sjf3 Newcomer, in training

Please could someone help me getting windows update to work?
After removing a virus I get Windows could not search for new updates error code 80070422

I have gone through and turned on all the services in control panel (some of which were set to have a delayed start) which windows help suggests could fix the error, but it still doesnt work.

BTW I am running windows vista home.

Please help me I am stuck.
Thanks
Steve

sjf3, Apr 3, 2011

#1
Broni Malware Annihilator
Welcome aboard

Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.

If you're stuck, or you're not sure about certain step, always ask before doing anything else.

Please refrain from running tools or applying updates other than those I suggest.

Never run more than one scan at a time.

Keep updating me regarding your computer behavior, good, or bad.

The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.

If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.

I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.
Broni, Apr 3, 2011

#2
sjf3 Newcomer, in training

logs

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6260

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18928

03/04/2011 23:34:55
mbam-log-2011-04-03 (23-34-55).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 331868
Time elapsed: 48 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 9
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ResultBar (Adware.ResultBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ResultBar Service (Adware.ResultBar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Value: Cognac -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0 (Trojan.FakeAlert) -> Value: 5c54d9f8-09c1-4c04-aa57-1c76128b1bf0 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\programdata\resultbar (Adware.ResultBar) -> Quarantined and deleted successfully.
c:\program files\clickpotatolite (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files\clickpotatolite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files\clickpotatolite\bin\10.0.536.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{34efa911-b536-4c08-bece-cd5e55c875b0} (Adware.ResultBar) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{34efa911-b536-4c08-bece-cd5e55c875b0}\chrome (Adware.ResultBar) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{34efa911-b536-4c08-bece-cd5e55c875b0}\defaults (Adware.ResultBar) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{34efa911-b536-4c08-bece-cd5e55c875b0}\defaults\preferences (Adware.ResultBar) -> Quarantined and deleted successfully.
c:\program files\resultbar (Adware.ResultBar) -> Quarantined and deleted successfully.

Files Infected:
c:\Windows\010112010146101105.rx (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\010112010146116101.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\Windows\0101120101465249.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\Windows\0101120101465250.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\Windows\0101120101465355.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\Windows\0101120101465649.xxe (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\Windows\dxxdv34567.bat (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\Windows\mmsmark3.dat (KoobFace.Trace) -> Quarantined and deleted successfully.
c:\Windows\rdr_1258929920.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\Windows\rdr_1259088080.exe (Worm.Koobface) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{5b57cf47-0bfa-43c6-acf9-3b3653dcadba}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{783af354-b514-42d6-970e-3e8bf0a5279c}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{34efa911-b536-4c08-bece-cd5e55c875b0}\chrome.manifest (Adware.ResultBar) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{34efa911-b536-4c08-bece-cd5e55c875b0}\install.rdf (Adware.ResultBar) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{34efa911-b536-4c08-bece-cd5e55c875b0}\chrome\resultbar.jar (Adware.ResultBar) -> Quarantined and deleted successfully.
c:\program files\mozilla firefox\extensions\{34efa911-b536-4c08-bece-cd5e55c875b0}\defaults\preferences\prefs.js (Adware.ResultBar) -> Quarantined and deleted successfully.

sjf3, Apr 4, 2011

#3
sjf3 Newcomer, in training

GMER log part1

GMER 1.0.15.15570 - http://www.gmer.net
Rootkit scan 2011-04-04 20:13:37
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500620AS rev.DE13
Running: y5f8w0qg.exe; Driver: C:\Users\Trevor\AppData\Local\Temp\ufdiipob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x82A360B8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x82A360E2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x82A360CE]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x82A360A4]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 824729D2 5 Bytes JMP 82A360A8 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82637DA3 5 Bytes JMP 82A360E6 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 826574FA 7 Bytes JMP 82A360BC \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 826577BD 5 Bytes JMP 82A360D2 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8BA0C000, 0x1F8CAC, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\System32\svchost.exe[400] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 000B0FE5
.text C:\Windows\System32\svchost.exe[400] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 000B0FAF
.text C:\Windows\System32\svchost.exe[400] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 000B0FD4
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 00050F59
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 0005009F
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 00050F2A
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 000500CB
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 00050F92
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 0005002F
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 0005004A
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 0005008E
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 00050FA3
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 0005006C
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 00050FC0
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 0005005B
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 0005007D
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 000500DC
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 0005000A
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[400] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 000500BA
.text C:\Windows\System32\svchost.exe[400] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 000C0F8D
.text C:\Windows\System32\svchost.exe[400] msvcrt.dll!system 77D7804B 5 Bytes JMP 000C0F9E
.text C:\Windows\System32\svchost.exe[400] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 000C0FD4
.text C:\Windows\System32\svchost.exe[400] msvcrt.dll!_open 77D7D106 5 Bytes JMP 000C000C
.text C:\Windows\System32\svchost.exe[400] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 000C0FB9
.text C:\Windows\System32\svchost.exe[400] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 000C0FEF
.text C:\Windows\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExA 765839AB 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 000A0FAF
.text C:\Windows\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 000A0FCA
.text C:\Windows\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 000A0000
.text C:\Windows\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 000A0051
.text C:\Windows\System32\svchost.exe[400] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 000A0076
.text C:\Windows\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 000A0FE5
.text C:\Windows\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 000A001B
.text C:\Windows\System32\svchost.exe[400] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 000A0036
.text C:\Windows\system32\services.exe[696] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 006C0FEF
.text C:\Windows\system32\services.exe[696] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 006C000A
.text C:\Windows\system32\services.exe[696] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 006C0FD4
.text C:\Windows\system32\services.exe[696] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 006B0F3C
.text C:\Windows\system32\services.exe[696] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 006B0F4D
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 006B00A4
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 006B0093
.text C:\Windows\system32\services.exe[696] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 006B005D
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 006B0FCD
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 006B0FA8
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 006B0F68
.text C:\Windows\system32\services.exe[696] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 006B0040
.text C:\Windows\system32\services.exe[696] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 006B0F8D
.text C:\Windows\system32\services.exe[696] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 006B002F
.text C:\Windows\system32\services.exe[696] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 006B0014
.text C:\Windows\system32\services.exe[696] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 006B0078
.text C:\Windows\system32\services.exe[696] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 006B00B5
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 006B0FDE
.text C:\Windows\system32\services.exe[696] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 006B0FEF
.text C:\Windows\system32\services.exe[696] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 006B0F17
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 00710F8D
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 00710039
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 00710FEF
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 00710FB2
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 00710F7C
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 00710FD4
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 0071000A
.text C:\Windows\system32\services.exe[696] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 00710FC3
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00960036
.text C:\Windows\system32\services.exe[696] msvcrt.dll!system 77D7804B 5 Bytes JMP 0096001B
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00960FC6
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00960000
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00960FB5
.text C:\Windows\system32\services.exe[696] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 00960FE3
.text C:\Windows\system32\services.exe[696] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 0072000A
.text C:\Windows\system32\lsass.exe[708] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 00840000
.text C:\Windows\system32\lsass.exe[708] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 0084002C
.text C:\Windows\system32\lsass.exe[708] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 0084001B
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 001800C4
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 001800B3
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 001800F0
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 00180F59
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 00180F92
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 0018001B
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 00180FD4
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 00180098
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 0018006C
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 0018005B
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 00180FB9
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 00180040
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 00180087
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 00180101
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 00180000
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 00180FEF
.text C:\Windows\system32\lsass.exe[708] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 001800D5
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 00860FA5
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 00860051
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 00860000
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 00860FC0
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 00860F94
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 00860025
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 00860FEF
.text C:\Windows\system32\lsass.exe[708] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 00860036
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00880FB7
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!system 77D7804B 5 Bytes JMP 00880FC8
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 0088001D
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00880000
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00880038
.text C:\Windows\system32\lsass.exe[708] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 00880FE3
.text C:\Windows\system32\lsass.exe[708] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 00870000
.text C:\Windows\system32\svchost.exe[760] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 009A0FE5
.text C:\Windows\system32\svchost.exe[760] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 009A0025
.text C:\Windows\system32\svchost.exe[760] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 009A000A
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 002F0F4D
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 002F0F68
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 002F0F21
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 002F00AE
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 002F0089
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 002F0FE5
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 002F0036
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 002F0F79
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 002F0FAF
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 002F0062
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 002F0FC0
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 002F0051
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 002F0F94
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 002F00D3
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 002F0011
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 002F0000
.text C:\Windows\system32\svchost.exe[760] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 002F0F32
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00A10F86
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!system 77D7804B 5 Bytes JMP 00A10F97
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00A10FC6
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00A10000
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00A10011
.text C:\Windows\system32\svchost.exe[760] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 00A10FE3
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 00300FB9
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 00300FCA
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 00300000
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 00300051
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 00300F9E
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 00300FE5
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 00300011
.text C:\Windows\system32\svchost.exe[760] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 0030002C
.text C:\Windows\system32\svchost.exe[760] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 00A00000
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 000E000A
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 000E0036
.text C:\Windows\system32\svchost.exe[900] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 000E001B
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 000D0F74
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 000D00B0
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 000D0101
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 000D00E6
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 000D007D
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 000D0FE5
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 000D0036
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 000D009F
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 000D006C
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 000D0FCA
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 000D0FAF
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 000D0051
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 000D008E
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 000D0112
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 000D001B
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 000D000A
.text C:\Windows\system32\svchost.exe[900] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 000D00CB
.text C:\Windows\system32\svchost.exe[900] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00160053
.text C:\Windows\system32\svchost.exe[900] msvcrt.dll!system 77D7804B 5 Bytes JMP 00160042
.text C:\Windows\system32\svchost.exe[900] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00160FE3
.text C:\Windows\system32\svchost.exe[900] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00160000
.text C:\Windows\system32\svchost.exe[900] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00160FC8
.text C:\Windows\system32\svchost.exe[900] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 00160011
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 0010004A
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 00100025
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 00100FEF
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 00100FA8
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 00100065
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 00100FD4
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 0010000A
.text C:\Windows\system32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 00100FB9
.text C:\Windows\system32\svchost.exe[900] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 0011000A
.text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 009D000A
.text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 009D001B
.text C:\Windows\system32\svchost.exe[960] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 009D0FEF
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 009500BD
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 00950098
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 009500F3
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 00950F5C
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 00950F99
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 00950025
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 00950036
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 00950F6D
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 00950073
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 00950058
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 00950FB6
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 00950047
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 00950F7E
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 00950F4B
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 00950FEF
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 00950000
.text C:\Windows\system32\svchost.exe[960] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 009500D8
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00A1005D
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!system 77D7804B 5 Bytes JMP 00A1004C
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00A1001D
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00A10000
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00A10FD2
.text C:\Windows\system32\svchost.exe[960] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 00A10FE3
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 009E0F97
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 009E0FC3
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 009E0FEF
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 009E0FA8
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 009E0054
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 009E001E
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 009E0FDE
.text C:\Windows\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 009E002F
.text C:\Windows\system32\svchost.exe[960] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 009F0FE5
.text C:\Windows\System32\svchost.exe[1072] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 0090000A
.text C:\Windows\System32\svchost.exe[1072] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 0090002C
.text C:\Windows\System32\svchost.exe[1072] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 0090001B
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 00110F6F
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 00110F8A
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 00110F43
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 001100DA
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 00110FAC
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 00110FDB
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 0011002C
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 00110F9B
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 00110086
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 00110058
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 00110069
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 00110047
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 001100AB
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 001100F5
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 00110011
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 00110000
.text C:\Windows\System32\svchost.exe[1072] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 00110F54
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 0093003B
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!system 77D7804B 5 Bytes JMP 00930FB0
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00930FD2
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00930FEF
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00930FC1
.text C:\Windows\System32\svchost.exe[1072] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 0093000C
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 00910040
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 00910FB9
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 0091000A
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 00910F9E
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 00910F79
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 00910025
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 00910FEF
.text C:\Windows\System32\svchost.exe[1072] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 00910FCA
.text C:\Windows\System32\svchost.exe[1072] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 00920FEF
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 00A9000A
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 00A9001B
.text C:\Windows\System32\svchost.exe[1148] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 00A90FE5
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 00A80073
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 00A80062

sjf3, Apr 4, 2011

#4
sjf3 Newcomer, in training

GMER log part2

.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 76481BF3 1 Byte [E9]
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 00A80EF7
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 00A8008E
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 00A80F5C
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 00A80FE5
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 00A80FCA
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 00A80F37
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 00A80F79
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 00A80F94
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 00A80036
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 00A80FB9
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 00A80047
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 00A80EDC
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 00A8001B
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 00A80000
.text C:\Windows\System32\svchost.exe[1148] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 00A80F12
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00B90FB0
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!system 77D7804B 5 Bytes JMP 00B90FC1
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00B9001D
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00B90000
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00B90FD2
.text C:\Windows\System32\svchost.exe[1148] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 00B90FE3
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 00B30F94
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 00B30FB9
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 00B30000
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 00B30036
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 00B30F83
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 00B30FD4
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 00B30FEF
.text C:\Windows\System32\svchost.exe[1148] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 00B30025
.text C:\Windows\System32\svchost.exe[1148] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 00B80FE5
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 00FD0000
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 00FD001B
.text C:\Windows\system32\svchost.exe[1204] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 00FD0FE5
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 00FC0091
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 00FC0076
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 00FC00B6
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 00FC0F1F
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 00FC0F4B
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 00FC0FDB
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 00FC0FC0
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 00FC005B
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 00FC0F68
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 00FC0F94
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 00FC0F79
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 00FC0FAF
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 00FC0040
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 00FC00C7
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 00FC0011
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 00FC0000
.text C:\Windows\system32\svchost.exe[1204] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 00FC0F30
.text C:\Windows\system32\svchost.exe[1204] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 01140FB4
.text C:\Windows\system32\svchost.exe[1204] msvcrt.dll!system 77D7804B 5 Bytes JMP 01140049
.text C:\Windows\system32\svchost.exe[1204] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 0114001D
.text C:\Windows\system32\svchost.exe[1204] msvcrt.dll!_open 77D7D106 5 Bytes JMP 01140000
.text C:\Windows\system32\svchost.exe[1204] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 0114002E
.text C:\Windows\system32\svchost.exe[1204] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 01140FE3
.text C:\Windows\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 00FE0F9B
.text C:\Windows\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 00FE0FC0
.text C:\Windows\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 00FE0000
.text C:\Windows\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 00FE003D
.text C:\Windows\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 00FE0F8A
.text C:\Windows\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 00FE0FDB
.text C:\Windows\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 00FE0011
.text C:\Windows\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 00FE002C
.text C:\Windows\system32\svchost.exe[1204] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 01130FE5
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 00190014
.text C:\Windows\system32\svchost.exe[1296] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 00190FD4
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 00180F63
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 001800A9
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 001800DF
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 001800CE
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 00180098
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 0018002F
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 00180040
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 00180F88
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 00180087
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 0018005B
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 00180076
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 00180FDE
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 00180F99
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 001800F0
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 00180FEF
.text C:\Windows\system32\svchost.exe[1296] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 00180F52
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 007E0FD9
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!system 77D7804B 5 Bytes JMP 007E0064
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 007E0038
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_open 77D7D106 5 Bytes JMP 007E000C
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 007E0049
.text C:\Windows\system32\svchost.exe[1296] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 007E001D
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 001A0FA8
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 001A0FD4
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 001A0000
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 001A0FB9
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 001A006F
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 001A001B
.text C:\Windows\system32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 001A0036
.text C:\Windows\system32\svchost.exe[1296] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 007D0000
.text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 0100000A
.text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 01000036
.text C:\Windows\system32\svchost.exe[1356] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 01000025
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 007B0F26
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 007B006C
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 007B0F04
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 007B0091
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 007B0F77
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 007B0025
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 007B0FDE
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 007B0F4B
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 007B0F94
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 007B0051
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 007B0FA5
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 007B0040
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 007B0F5C
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 007B00AC
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 007B0FEF
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 007B000A
.text C:\Windows\system32\svchost.exe[1356] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 007B0F15
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 010C0049
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!system 77D7804B 5 Bytes JMP 010C0FBE
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 010C0027
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_open 77D7D106 5 Bytes JMP 010C0000
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 010C0038
.text C:\Windows\system32\svchost.exe[1356] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 010C0FE3
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 01010FC0
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 01010051
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 01010000
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 01010062
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 01010FA5
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 01010036
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 0101001B
.text C:\Windows\system32\svchost.exe[1356] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 01010FE5
.text C:\Windows\system32\svchost.exe[1356] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 010B0FE5
.text C:\Windows\system32\svchost.exe[1356] WinInet.dll!InternetOpenA 76EBD690 5 Bytes JMP 01060FEF
.text C:\Windows\system32\svchost.exe[1356] WinInet.dll!InternetOpenW 76EBDB09 5 Bytes JMP 0106000A
.text C:\Windows\system32\svchost.exe[1356] WinInet.dll!InternetOpenUrlA 76EBF3A4 5 Bytes JMP 01060FCA
.text C:\Windows\system32\svchost.exe[1356] WinInet.dll!InternetOpenUrlW 76F06DDF 5 Bytes JMP 01060FB9
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 00860000
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 00860022
.text C:\Windows\system32\svchost.exe[1472] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 00860011
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 007200C2
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 007200A7
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 007200E4
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 007200D3
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 00720F8D
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 00720FC3
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 00720FA8
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 00720096
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 00720067
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 0072002F
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 0072004A
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 00720014
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 00720F7C
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 00720F28
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 00720FD4
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 00720FEF
.text C:\Windows\system32\svchost.exe[1472] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 00720F61
.text C:\Windows\system32\svchost.exe[1472] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00880069
.text C:\Windows\system32\svchost.exe[1472] msvcrt.dll!system 77D7804B 5 Bytes JMP 00880044
.text C:\Windows\system32\svchost.exe[1472] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00880029
.text C:\Windows\system32\svchost.exe[1472] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00880FEF
.text C:\Windows\system32\svchost.exe[1472] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00880FD4
.text C:\Windows\system32\svchost.exe[1472] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 0088000C
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 00850FB9
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 00850051
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 00850000
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 00850FCA
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 00850F9E
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 00850FE5
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 0085001B
.text C:\Windows\system32\svchost.exe[1472] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 00850040
.text C:\Windows\system32\svchost.exe[1472] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 00870000
.text C:\Windows\system32\svchost.exe[1580] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 003C0FE5
.text C:\Windows\system32\svchost.exe[1580] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 003C0000
.text C:\Windows\system32\svchost.exe[1580] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 003C0FCA
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 003B0F1F
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 003B0F3A
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 003B00A5
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 003B0094
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 003B0065
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 003B0FD4
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 003B002F
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 003B0F55
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 003B0054
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 003B0FA8
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 003B0F97
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 003B0FB9
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 003B0F70
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 003B00B6
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 003B0014
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 003B0FEF
.text C:\Windows\system32\svchost.exe[1580] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 003B0F0E
.text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00C00F97
.text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!system 77D7804B 5 Bytes JMP 00C00022
.text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00C00FCD
.text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00C00FEF
.text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00C00FB2
.text C:\Windows\system32\svchost.exe[1580] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 00C00FDE
.text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 003E006F
.text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 003E0FCD
.text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 003E0FEF
.text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 003E0054
.text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 003E0FB2
.text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 003E001E
.text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 003E0FDE
.text C:\Windows\system32\svchost.exe[1580] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 003E0039
.text C:\Windows\system32\svchost.exe[1580] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 003F0FE5
.text C:\Windows\system32\svchost.exe[1792] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 007E0FEF
.text C:\Windows\system32\svchost.exe[1792] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 007E0FCA
.text C:\Windows\system32\svchost.exe[1792] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 007E0000
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 001F0F1F
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 001F0F3A
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 001F0EF3
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 001F008A
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 001F0051
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 001F0FCA
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 001F0FB9
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 001F0F4B
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 001F0040
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 001F0F8D
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 001F002F
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 001F0F9E
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 001F0F5C
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 001F0EE2
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 001F0FE5
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 001F0000
.text C:\Windows\system32\svchost.exe[1792] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 001F0F0E
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00960031
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!system 77D7804B 5 Bytes JMP 00960FA6
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00960FD2
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00960000
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00960FB7
.text C:\Windows\system32\svchost.exe[1792] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 00960FE3
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 00200040
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 00200FA8
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 00200FEF
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 0020002F

sjf3, Apr 4, 2011

#5
sjf3 Newcomer, in training

GMER log part3

.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 0020005B
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 0020000A
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 00200FD4
.text C:\Windows\system32\svchost.exe[1792] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 00200FC3
.text C:\Windows\system32\svchost.exe[1792] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 00800FE5
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2476] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 71389AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2476] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 71389A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\Explorer.EXE[2672] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 03760000
.text C:\Windows\Explorer.EXE[2672] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 03760025
.text C:\Windows\Explorer.EXE[2672] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 03760FE5
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 03750F3C
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 03750082
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 037500A7
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 03750F06
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 03750049
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 03750000
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 03750011
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 03750F4D
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 03750038
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 03750F8A
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 03750F6F
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 03750F9B
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 03750F5E
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 03750EEB
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 03750FCA
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 03750FEF
.text C:\Windows\Explorer.EXE[2672] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 03750F21
.text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 036C0F79
.text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 036C000A
.text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 036C0FEF
.text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 036C001B
.text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 036C0F68
.text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 036C0FC3
.text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 036C0FDE
.text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 036C0FA8
.text C:\Windows\Explorer.EXE[2672] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 036F0064
.text C:\Windows\Explorer.EXE[2672] msvcrt.dll!system 77D7804B 5 Bytes JMP 036F0053
.text C:\Windows\Explorer.EXE[2672] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 036F0FE3
.text C:\Windows\Explorer.EXE[2672] msvcrt.dll!_open 77D7D106 5 Bytes JMP 036F000C
.text C:\Windows\Explorer.EXE[2672] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 036F0042
.text C:\Windows\Explorer.EXE[2672] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 036F001D
.text C:\Windows\Explorer.EXE[2672] WS2_32.dll!socket 77CF36D1 5 Bytes JMP 036E0000
.text C:\Windows\Explorer.EXE[2672] WININET.dll!InternetOpenA 76EBD690 5 Bytes JMP 036D0FEF
.text C:\Windows\Explorer.EXE[2672] WININET.dll!InternetOpenW 76EBDB09 5 Bytes JMP 036D000A
.text C:\Windows\Explorer.EXE[2672] WININET.dll!InternetOpenUrlA 76EBF3A4 5 Bytes JMP 036D0FD4
.text C:\Windows\Explorer.EXE[2672] WININET.dll!InternetOpenUrlW 76F06DDF 5 Bytes JMP 036D0025
.text C:\Windows\system32\wuauclt.exe[5904] ntdll.dll!NtCreateFile 77BD43D4 5 Bytes JMP 00040FEF
.text C:\Windows\system32\wuauclt.exe[5904] ntdll.dll!NtCreateProcess 77BD4494 5 Bytes JMP 0004000A
.text C:\Windows\system32\wuauclt.exe[5904] ntdll.dll!NtProtectVirtualMemory 77BD4D34 5 Bytes JMP 00040FD4
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!GetStartupInfoW 76481929 5 Bytes JMP 0001009D
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!GetStartupInfoA 764819C9 5 Bytes JMP 00010082
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!CreateProcessW 76481BF3 5 Bytes JMP 00010F32
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!CreateProcessA 76481C28 5 Bytes JMP 000100C9
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!VirtualProtect 76481DC3 5 Bytes JMP 00010038
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!CreateNamedPipeA 76482EF5 5 Bytes JMP 0001000A
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!CreateNamedPipeW 76485C0C 5 Bytes JMP 00010FB9
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!CreatePipe 764A8E6E 5 Bytes JMP 0001005D
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!LoadLibraryExW 764A9109 5 Bytes JMP 00010F5E
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!LoadLibraryW 764A9362 5 Bytes JMP 00010F79
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!LoadLibraryExA 764A94B4 5 Bytes JMP 0001001B
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!LoadLibraryA 764A94DC 5 Bytes JMP 00010F94
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!VirtualProtectEx 764ADBDA 5 Bytes JMP 00010F4D
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!GetProcAddress 764C903B 5 Bytes JMP 00010F21
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!CreateFileW 764CAECB 5 Bytes JMP 00010FD4
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!CreateFileA 764CCE5F 5 Bytes JMP 00010FE5
.text C:\Windows\system32\wuauclt.exe[5904] kernel32.dll!WinExec 76515CF7 5 Bytes JMP 000100AE
.text C:\Windows\system32\wuauclt.exe[5904] msvcrt.dll!_wsystem 77D77F2F 5 Bytes JMP 00070F75
.text C:\Windows\system32\wuauclt.exe[5904] msvcrt.dll!system 77D7804B 5 Bytes JMP 00070F90
.text C:\Windows\system32\wuauclt.exe[5904] msvcrt.dll!_creat 77D7BBE1 5 Bytes JMP 00070FC6
.text C:\Windows\system32\wuauclt.exe[5904] msvcrt.dll!_open 77D7D106 5 Bytes JMP 00070000
.text C:\Windows\system32\wuauclt.exe[5904] msvcrt.dll!_wcreat 77D7D326 5 Bytes JMP 00070FAB
.text C:\Windows\system32\wuauclt.exe[5904] msvcrt.dll!_wopen 77D7D501 5 Bytes JMP 00070FE3
.text C:\Windows\system32\wuauclt.exe[5904] ADVAPI32.dll!RegCreateKeyExA 765839AB 5 Bytes JMP 000C0040
.text C:\Windows\system32\wuauclt.exe[5904] ADVAPI32.dll!RegCreateKeyA 76583BA9 5 Bytes JMP 000C001B
.text C:\Windows\system32\wuauclt.exe[5904] ADVAPI32.dll!RegOpenKeyA 765889C7 5 Bytes JMP 000C0FE5
.text C:\Windows\system32\wuauclt.exe[5904] ADVAPI32.dll!RegCreateKeyW 7659391E 5 Bytes JMP 000C0F9E
.text C:\Windows\system32\wuauclt.exe[5904] ADVAPI32.dll!RegCreateKeyExW 765941F1 5 Bytes JMP 000C0F8D
.text C:\Windows\system32\wuauclt.exe[5904] ADVAPI32.dll!RegOpenKeyExA 76597C42 5 Bytes JMP 000C0000
.text C:\Windows\system32\wuauclt.exe[5904] ADVAPI32.dll!RegOpenKeyW 7659E2B5 5 Bytes JMP 000C0FCA
.text C:\Windows\system32\wuauclt.exe[5904] ADVAPI32.dll!RegOpenKeyExW 765A7BA1 5 Bytes JMP 000C0FAF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[908] @ C:\Windows\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [010D7740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[908] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [010D77A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [65EBF3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 976771075
Disk \Device\Harddisk0\DR0 PE file @ sector 976771097

sjf3, Apr 4, 2011

#6
sjf3 Newcomer, in training

DDS Log

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Trevor at 20:14:09.12 on 04/04/2011
Internet Explorer: 8.0.6001.18928
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1061 [GMT 1:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\recover\y5f8w0qg.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\recover\dds.scr
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.orange.co.uk/
uWindow Title = Internet Explorer provided by Dell
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101105030355.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [EPSON Stylus SX200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatiefe.exe /fu "c:\windows\temp\E_S6ED8.tmp" /EF "HKCU"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ares] "c:\users\spencer\ares\Ares.exe" -h
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
StartupFolder: c:\users\trevor\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
Trusted Zone: cityandguilds.com\mymail1
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1281466038603
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1281466084214
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: x-excid - {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\windows\downloaded program files\mimectl.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\trevor\appdata\roaming\mozilla\firefox\profiles\38o4k2hg.default\
FF - prefs.js: browser.startup.homepage - hxxps://mymail1.cityandguilds.com/exchange/
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-11 386840]
R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-8-11 64304]
R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-8-11 164840]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-4-3 18816]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-23 155648]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-11 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-11 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-11 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-11 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-11 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-11 141792]
R2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt60.sys [2009-2-18 27648]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-11 55840]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-11 152960]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-11 313288]
R3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-10 135664]
S3 {6F1A1DEF-B8F2-4C88-964CC95379657262};{6F1A1DEF-B8F2-4C88-964CC95379657262};c:\windows\system32\svchost.exe -k netsvcs [2008-1-21 21504]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-12-9 54632]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-11 52104]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-11 84264]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2009-2-19 73728]
.
=============== Created Last 30 ================
.
2011-04-04 18:31:00 -------- d-----w- c:\users\trevor\appdata\roaming\PCDr
2011-04-03 21:45:03 -------- d-----w- c:\users\trevor\appdata\roaming\Malwarebytes
2011-04-03 21:44:57 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-03 21:44:56 -------- d-----w- c:\progra~2\Malwarebytes
2011-04-03 21:44:53 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-03 21:44:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-03 21:24:22 98816 ----a-w- c:\windows\sed.exe
2011-04-03 21:24:22 89088 ----a-w- c:\windows\MBR.exe
2011-04-03 21:24:22 256512 ----a-w- c:\windows\PEV.exe
2011-04-03 21:24:22 161792 ----a-w- c:\windows\SWREG.exe
2011-04-03 21:24:17 -------- d-s---w- C:\ComboFix
2011-04-03 21:09:03 -------- d-----w- C:\recover
2011-04-03 20:58:37 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-04-03 20:17:18 -------- d-----w- c:\program files\Sophos
2011-04-03 10:30:10 -------- d-----w- c:\program files\common files\Wise Installation Wizard
2011-04-02 08:33:24 2404352 --sha-w- c:\progra~2\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.dat
2011-03-12 11:28:40 103864 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
.
==================== Find3M ====================
.
.
============= FINISH: 20:14:29.31 ===============

sjf3, Apr 4, 2011

#7
sjf3 Newcomer, in training

DDS Attach Log

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 18/02/2009 20:36:32
System Uptime: 04/04/2011 19:42:04 (1 hours ago)
.
Motherboard: Dell Inc. | | 0M017G
Processor: Intel(R) Core(TM)2 Duo CPU E7300 @ 2.66GHz | CPU 1 | 2403/267mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 451 GiB total, 423.448 GiB free.
D: is FIXED (NTFS) - 15 GiB total, 9.261 GiB free.
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP852: 04/04/2011 00:17:36 - Windows Update
RP853: 04/04/2011 19:33:05 - Installed Dell Support Center
.
==== Installed Programs ======================
.
ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.3
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
Camera RAW Plug-In for EPSON Creativity Suite
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Hungarian
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
Catalyst Control Center Localization Turkish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help English
CCC Help French
CCC Help German
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCC Help Turkish
CCleaner
Compatibility Pack for the 2007 Office system
Dell-eBay
Dell Best of Web
Dell DataSafe Online
Dell Dock
Dell Getting Started Guide
Dell Support Center
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan
EPSON Scan Assistant
EPSON Stylus SX200 Series Printer Uninstall
EPSON Stylus SX200_SX400_TX200_TX400 Manual
Google Chrome
Google Update Helper
GoToAssist 8.0.0.514
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Java(TM) 6 Update 7
Junk Mail filter update
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office Live Add-in 1.5
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Office Word Viewer 2003
Microsoft Outlook Web Access S/MIME
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Works
Mozilla Firefox (3.0.6)
MSVCRT
OGA Notifier 2.0.0048.0
QuickTime
Realtek Ethernet Network Card Diagnostic tool for Windows Vista
Realtek High Definition Audio Driver
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Skins
Sophos Anti-Rootkit 1.5.4
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live ID Sign-in Assistant
Windows Live Mail
Windows Live Messenger
Windows Live Movie Maker
Windows Live Photo Gallery
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
.
==== Event Viewer Messages From Past Week ========
.
04/04/2011 00:17:57, Error: volsnap [20] - The shadow copies of volume C: were aborted because of a failed free space computation.
03/04/2011 23:53:08, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
03/04/2011 23:53:08, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
03/04/2011 23:53:07, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
03/04/2011 23:45:28, Error: Service Control Manager [7030] - The Background Intelligent Transfer Service service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
03/04/2011 22:37:35, Error: Service Control Manager [7034] - The Ati External Event Utility service terminated unexpectedly. It has done this 1 time(s).
03/04/2011 22:30:48, Error: Service Control Manager [7030] - The PEVSystemStart service is marked as an interactive service. However, the system is configured to not allow interactive services. This service may not function properly.
03/04/2011 22:05:17, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
03/04/2011 22:02:23, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:22, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
03/04/2011 22:02:16, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC mfehidk mfenlfk mfewfpk NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The McShield service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The McAfee Validation Trust Protection Service service depends on the McAfee Inc. mfehidk service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The McAfee Proxy Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The McAfee Personal Firewall Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The McAfee Firewall Core Service service depends on the McAfee Validation Trust Protection Service service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The McAfee Anti-Spam Service service depends on the McAfee Firewall Core Service service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
03/04/2011 22:02:16, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
03/04/2011 22:01:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
03/04/2011 22:01:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
03/04/2011 22:01:49, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
03/04/2011 22:01:47, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
03/04/2011 22:01:41, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
03/04/2011 21:10:22, Error: EventLog [6008] - The previous system shutdown at 21:08:45 on 03/04/2011 was unexpected.
03/04/2011 21:08:11, Error: Service Control Manager [7034] - The SupportSoft Sprocket Service (DellSupportCenter) service terminated unexpectedly. It has done this 1 time(s).
03/04/2011 21:08:02, Error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
03/04/2011 21:07:55, Error: Service Control Manager [7031] - The Software Licensing service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 120000 milliseconds: Restart the service.
03/04/2011 21:06:30, Error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
03/04/2011 21:06:10, Error: Service Control Manager [7034] - The Dock Login Service service terminated unexpectedly. It has done this 1 time(s).
03/04/2011 21:05:45, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
03/04/2011 20:18:34, Error: EventLog [6008] - The previous system shutdown at 20:17:22 on 03/04/2011 was unexpected.
03/04/2011 20:14:44, Error: Service Control Manager [7031] - The McShield service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
03/04/2011 19:03:59, Error: EventLog [6008] - The previous system shutdown at 19:01:49 on 03/04/2011 was unexpected.
03/04/2011 18:54:18, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 4 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
03/04/2011 18:45:52, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
03/04/2011 18:44:40, Error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
03/04/2011 18:38:55, Error: EventLog [6008] - The previous system shutdown at 18:37:03 on 03/04/2011 was unexpected.
03/04/2011 18:29:09, Error: Service Control Manager [7031] - The Windows Live ID Sign-in Assistant service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.
03/04/2011 18:29:00, Error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
03/04/2011 17:59:07, Error: Service Control Manager [7034] - The Google Update Service (gupdate) service terminated unexpectedly. It has done this 1 time(s).
.
==== End Of File ===========================

sjf3, Apr 4, 2011

#8
Broni Malware Annihilator
Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.

If using Vista or Windows 7 right-click on it and choose Run As Administrator.

A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

If not, delete the file, then download and use the one provided in Link 2.

If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.

Do not reboot until instructed.

If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
Broni, Apr 4, 2011

#9
sjf3 Newcomer, in training

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows Vista Home Premium Edition
Windows Information: Service Pack 2 (build 6002), 32-bit
Base Board Manufacturer: Dell Inc.
BIOS Manufacturer: Dell Inc.
System Manufacturer: Dell Inc.
System Product Name: Studio 540
Logical Drives Mask: 0x000003dc

Kernel Drivers (total 147):
0x82447000 \SystemRoot\system32\ntkrnlpa.exe
0x82414000 \SystemRoot\system32\hal.dll
0x80406000 \SystemRoot\system32\kdcom.dll
0x8040D000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x8047D000 \SystemRoot\system32\PSHED.dll
0x8048E000 \SystemRoot\system32\BOOTVID.dll
0x80496000 \SystemRoot\system32\CLFS.SYS
0x804D7000 \SystemRoot\system32\CI.dll
0x80600000 \SystemRoot\system32\drivers\Wdf01000.sys
0x8067C000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x80689000 \SystemRoot\system32\drivers\acpi.sys
0x806CF000 \SystemRoot\system32\drivers\WMILIB.SYS
0x806D8000 \SystemRoot\system32\drivers\msisadrv.sys
0x806E0000 \SystemRoot\system32\drivers\pci.sys
0x80707000 \SystemRoot\System32\drivers\partmgr.sys
0x80716000 \SystemRoot\system32\drivers\volmgr.sys
0x80725000 \SystemRoot\System32\drivers\volmgrx.sys
0x8076F000 \SystemRoot\system32\DRIVERS\intelide.sys
0x80776000 \SystemRoot\system32\DRIVERS\PCIIDEX.SYS
0x80784000 \SystemRoot\system32\drivers\pciide.sys
0x8078B000 \SystemRoot\System32\drivers\mountmgr.sys
0x8079B000 \SystemRoot\system32\drivers\atapi.sys
0x807A3000 \SystemRoot\system32\drivers\ataport.SYS
0x807C1000 \SystemRoot\system32\drivers\fltmgr.sys
0x805B7000 \SystemRoot\system32\drivers\fileinfo.sys
0x82A03000 \SystemRoot\system32\drivers\mfehidk.sys
0x82A60000 \SystemRoot\System32\Drivers\PxHelp20.sys
0x82A69000 \SystemRoot\System32\Drivers\ksecdd.sys
0x82ADA000 \SystemRoot\system32\drivers\ndis.sys
0x805C7000 \SystemRoot\system32\drivers\msrpc.sys
0x88007000 \SystemRoot\system32\drivers\NETIO.SYS
0x88042000 \SystemRoot\System32\Drivers\Ntfs.sys
0x88152000 \SystemRoot\system32\drivers\volsnap.sys
0x8818B000 \SystemRoot\System32\Drivers\spldr.sys
0x88193000 \SystemRoot\System32\Drivers\mup.sys
0x881A2000 \SystemRoot\System32\drivers\ecache.sys
0x881C9000 \SystemRoot\system32\drivers\disk.sys
0x881DA000 \SystemRoot\system32\drivers\CLASSPNP.SYS
0x82BE5000 \SystemRoot\system32\drivers\crcdisk.sys
0x8B808000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x8B813000 \SystemRoot\system32\DRIVERS\tunmp.sys
0x8B81C000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x8BA0B000 \SystemRoot\system32\DRIVERS\atikmdag.sys
0x8BF04000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x8BFA5000 \SystemRoot\System32\drivers\watchdog.sys
0x8B82B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0x8BFB1000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x8BFBC000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x8B8B8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x8B8C7000 \SystemRoot\system32\DRIVERS\ohci1394.sys
0x8B8D7000 \SystemRoot\system32\DRIVERS\1394BUS.SYS
0x8B8E5000 \SystemRoot\system32\DRIVERS\Rtlh86.sys
0x8B907000 \SystemRoot\system32\DRIVERS\cdrom.sys
0x8B91F000 \SystemRoot\system32\DRIVERS\msiscsi.sys
0x8B94E000 \SystemRoot\system32\DRIVERS\storport.sys
0x8BA00000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x8B98F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x8B9A6000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x8B9B1000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x8B9D4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x8B9E3000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x8C00B000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x8C020000 \SystemRoot\system32\DRIVERS\termdd.sys
0x8C030000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0x8C03B000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x8C046000 \SystemRoot\system32\DRIVERS\swenum.sys
0x8C048000 \SystemRoot\system32\DRIVERS\ks.sys
0x8C072000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0x8C07C000 \SystemRoot\system32\DRIVERS\umbus.sys
0x8C089000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x8C0BE000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x8C0DA000 \SystemRoot\system32\drivers\HdAudio.sys
0x8C119000 \SystemRoot\system32\drivers\portcls.sys
0x8C146000 \SystemRoot\system32\drivers\drmk.sys
0x8C40C000 \SystemRoot\system32\drivers\RTKVHDA.sys
0x8C619000 \??\C:\Windows\system32\SAVRKBootTasks.sys
0x8C61E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0x8C627000 \SystemRoot\System32\Drivers\Null.SYS
0x8C62E000 \SystemRoot\System32\Drivers\Beep.SYS
0x8C63E000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0x8C645000 \SystemRoot\System32\drivers\vga.sys
0x8C651000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x8C672000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x8C67A000 \SystemRoot\system32\drivers\rdpencdd.sys
0x8C682000 \SystemRoot\System32\Drivers\Msfs.SYS
0x8C68D000 \SystemRoot\System32\Drivers\Npfs.SYS
0x8C69B000 \SystemRoot\System32\DRIVERS\rasacd.sys
0x8C6A4000 \SystemRoot\System32\drivers\tcpip.sys
0x8C78E000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x8C7A9000 \SystemRoot\system32\drivers\mfewfpk.sys
0x8C7D0000 \SystemRoot\system32\DRIVERS\tdx.sys
0x8C7E6000 \SystemRoot\system32\DRIVERS\smb.sys
0x8C176000 \SystemRoot\System32\DRIVERS\netbt.sys
0x8C1A8000 \SystemRoot\system32\drivers\afd.sys
0x8CA07000 \SystemRoot\system32\DRIVERS\pacer.sys
0x8CA1D000 \SystemRoot\system32\DRIVERS\mfenlfk.sys
0x8CA2B000 \SystemRoot\system32\DRIVERS\netbios.sys
0x8CA39000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x8CA4C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x8CA88000 \SystemRoot\system32\drivers\nsiproxy.sys
0x8CA92000 \SystemRoot\System32\Drivers\dfsc.sys
0x8CAA9000 \SystemRoot\system32\drivers\mfeavfk.sys
0x8CACD000 \SystemRoot\system32\drivers\mfefirek.sys
0x8CB18000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x8CB2F000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x8CB31000 \SystemRoot\system32\DRIVERS\hidusb.sys
0x8CB3A000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0x8CB4A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0x8CB53000 \SystemRoot\system32\DRIVERS\mouhid.sys
0x8CB5B000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x8CB70000 \SystemRoot\System32\Drivers\crashdmp.sys
0x8CB7D000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x8CB88000 \SystemRoot\System32\Drivers\dump_atapi.sys
0x94470000 \SystemRoot\System32\win32k.sys
0x8CB90000 \SystemRoot\System32\drivers\Dxapi.sys
0x8CB9A000 \SystemRoot\system32\DRIVERS\monitor.sys
0x94690000 \SystemRoot\System32\TSDDD.dll
0x8CBA9000 \SystemRoot\system32\drivers\luafv.sys
0x8CBC4000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x8CBD4000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x8CBE7000 \SystemRoot\system32\DRIVERS\RtNdPt60.sys
0x81209000 \SystemRoot\system32\drivers\spsys.sys
0x812B9000 \SystemRoot\system32\drivers\HTTP.sys
0x81326000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x81343000 \SystemRoot\system32\DRIVERS\bowser.sys
0x8135C000 \SystemRoot\System32\drivers\mpsdrv.sys
0x81371000 \SystemRoot\system32\drivers\mrxdav.sys
0x81392000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x813B1000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x81E02000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x81E1A000 \SystemRoot\System32\DRIVERS\srv2.sys
0x81E41000 \SystemRoot\System32\DRIVERS\srv.sys
0x81E8F000 \SystemRoot\system32\drivers\peauth.sys
0x81F6D000 \SystemRoot\System32\Drivers\secdrv.SYS
0x81F77000 \SystemRoot\System32\drivers\tcpipreg.sys
0x81F83000 \SystemRoot\System32\Drivers\fastfat.SYS
0x81FAB000 \SystemRoot\system32\DRIVERS\WUDFRd.sys
0x81FC0000 \SystemRoot\system32\DRIVERS\WUDFPf.sys
0x81FD2000 \SystemRoot\system32\drivers\cfwids.sys
0x81FDE000 \SystemRoot\system32\DRIVERS\cdfs.sys
0xAB208000 \??\C:\Users\Trevor\AppData\Local\Temp\ufdiipob.sys
0xAB258000 \??\c:\program files\dell support center\pcdsrvc.pkms
0xAB25C000 \??\C:\Users\Trevor\AppData\Local\Temp\mbr.sys
0x94720000 \SystemRoot\System32\cdd.dll
0xAB29A000 \SystemRoot\system32\drivers\mfeapfk.sys
0xAB2B0000 \SystemRoot\system32\drivers\mfebopk.sys
0x77B70000 \Windows\System32\ntdll.dll

Processes (total 60):
0 System Idle Process
4 System
516 C:\Windows\System32\smss.exe
592 csrss.exe
652 C:\Windows\System32\wininit.exe
696 C:\Windows\System32\services.exe
708 C:\Windows\System32\lsass.exe
716 C:\Windows\System32\lsm.exe
900 C:\Windows\System32\svchost.exe
960 C:\Windows\System32\svchost.exe
1052 C:\Windows\System32\Ati2evxx.exe
1072 C:\Windows\System32\svchost.exe
1148 C:\Windows\System32\svchost.exe
1204 C:\Windows\System32\svchost.exe
1272 C:\Windows\System32\audiodg.exe
1296 C:\Windows\System32\svchost.exe
1320 C:\Windows\System32\SLsvc.exe
1356 C:\Windows\System32\svchost.exe
1460 C:\Program Files\Dell\DellDock\DockLogin.exe
1580 C:\Windows\System32\svchost.exe
1764 C:\Windows\System32\spoolsv.exe
1792 C:\Windows\System32\svchost.exe
396 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
908 C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
1472 C:\Windows\System32\svchost.exe
1860 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
760 C:\Windows\System32\svchost.exe
400 C:\Windows\System32\svchost.exe
884 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVC.EXE
2148 C:\Windows\System32\SearchIndexer.exe
2184 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
2328 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
2420 C:\Windows\System32\taskeng.exe
2476 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
2664 WUDFHost.exe
3524 C:\Program Files\Common Files\microsoft shared\Windows Live\WLIDSVCM.EXE
1220 C:\Program Files\Windows Media Player\wmpnetwk.exe
6008 C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
5232 csrss.exe
5312 C:\Windows\System32\winlogon.exe
4348 C:\Windows\System32\Ati2evxx.exe
5860 taskeng.exe
5376 C:\Windows\System32\VSSVC.exe
5984 C:\Windows\System32\svchost.exe
3504 C:\Program Files\McAfee.com\Agent\mcagent.exe
2416 C:\Program Files\Dell\DellDock\DellDock.exe
4964 C:\Windows\explorer.exe
2360 C:\Windows\System32\dwm.exe
2372 C:\Windows\System32\taskeng.exe
1140 C:\Windows\RtHDVCpl.exe
3580 C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
2796 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
2220 C:\Program Files\Windows Sidebar\sidebar.exe
5256 C:\Program Files\Windows Media Player\wmpnscfg.exe
3860 WmiPrvSE.exe
2732 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
2912 C:\Windows\System32\wuauclt.exe
2200 C:\Windows\System32\SearchProtocolHost.exe
2832 C:\Windows\System32\SearchFilterHost.exe
4196 C:\recover\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000003`c4700000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`04700000 (NTFS)

PhysicalDrive0 Model Number: ST3500620AS, Rev: DE13

Size Device Name MBR Status
--------------------------------------------
465 GB \\.\PhysicalDrive0 Windows Vista MBR code detected
SHA1: 8DF43F2BDE2D9451948FA14B5279969C777A7979

Done!

sjf3, Apr 4, 2011

#10
sjf3 Newcomer, in training

ComboFix 11-04-04.01 - Trevor 05/04/2011 0:43.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.967 [GMT 1:00]
Running from: c:\recover\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.dat
c:\programdata\PCDr\5744\Downloads\48edbc2f-6595-43d2-a911-c3713e9b499f.dll
c:\programdata\PCDr\5744\Downloads\5275e755-7d9f-4ddb-a61e-645d687f55e1.dll
c:\programdata\PCDr\5744\Downloads\86fa80c6-799b-4d0b-a3f5-f7886c10db2c.dll
c:\users\Fraser\AppData\Local\{3B3F6F20-1851-4673-B1A9-FCBCDCDA59A2}
c:\users\Fraser\AppData\Local\{3B3F6F20-1851-4673-B1A9-FCBCDCDA59A2}\chrome.manifest
c:\users\Fraser\AppData\Local\{3B3F6F20-1851-4673-B1A9-FCBCDCDA59A2}\chrome\content\_cfg.js
c:\users\Fraser\AppData\Local\{3B3F6F20-1851-4673-B1A9-FCBCDCDA59A2}\chrome\content\overlay.xul
c:\users\Fraser\AppData\Local\{3B3F6F20-1851-4673-B1A9-FCBCDCDA59A2}\install.rdf
c:\users\Lynn\AppData\Local\{34E707FD-E3A8-4278-9CED-D5F43E578489}
c:\users\Lynn\AppData\Local\{34E707FD-E3A8-4278-9CED-D5F43E578489}\chrome.manifest
c:\users\Lynn\AppData\Local\{34E707FD-E3A8-4278-9CED-D5F43E578489}\chrome\content\_cfg.js
c:\users\Lynn\AppData\Local\{34E707FD-E3A8-4278-9CED-D5F43E578489}\chrome\content\overlay.xul
c:\users\Lynn\AppData\Local\{34E707FD-E3A8-4278-9CED-D5F43E578489}\install.rdf
c:\users\Spencer\AppData\Local\{6E31663A-3816-4BC9-8B7F-C82A791CB99A}
c:\users\Spencer\AppData\Local\{6E31663A-3816-4BC9-8B7F-C82A791CB99A}\chrome.manifest
c:\users\Spencer\AppData\Local\{6E31663A-3816-4BC9-8B7F-C82A791CB99A}\chrome\content\_cfg.js
c:\users\Spencer\AppData\Local\{6E31663A-3816-4BC9-8B7F-C82A791CB99A}\chrome\content\overlay.xul
c:\users\Spencer\AppData\Local\{6E31663A-3816-4BC9-8B7F-C82A791CB99A}\install.rdf
c:\users\Spencer\AppData\Roaming\DataSafeDotNet.exe
c:\users\Trevor\AppData\Local\{959A63B1-9263-4A79-82C7-0C686D81225E}
c:\users\Trevor\AppData\Local\{959A63B1-9263-4A79-82C7-0C686D81225E}\chrome.manifest
c:\users\Trevor\AppData\Local\{959A63B1-9263-4A79-82C7-0C686D81225E}\chrome\content\_cfg.js
c:\users\Trevor\AppData\Local\{959A63B1-9263-4A79-82C7-0C686D81225E}\chrome\content\overlay.xul
c:\users\Trevor\AppData\Local\{959A63B1-9263-4A79-82C7-0C686D81225E}\install.rdf
.
.
\\.\PhysicalDrive0 - Bootkit Sinowal was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-03-04 to 2011-04-04 )))))))))))))))))))))))))))))))
.
.
2011-04-04 23:49 . 2011-04-04 23:49 -------- d-----w- c:\users\Trevor\AppData\Local\temp
2011-04-04 23:49 . 2011-04-04 23:49 -------- d-----w- c:\users\Spencer\AppData\Local\temp
2011-04-04 23:49 . 2011-04-04 23:49 -------- d-----w- c:\users\Lynn\AppData\Local\temp
2011-04-04 23:49 . 2011-04-04 23:49 -------- d-----w- c:\users\Fraser\AppData\Local\temp
2011-04-04 23:49 . 2011-04-04 23:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-04-04 18:31 . 2011-04-04 18:32 -------- d-----w- c:\users\Trevor\AppData\Roaming\PCDr
2011-04-03 21:45 . 2011-04-03 21:45 -------- d-----w- c:\users\Trevor\AppData\Roaming\Malwarebytes
2011-04-03 21:44 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-03 21:44 . 2011-04-03 21:44 -------- d-----w- c:\programdata\Malwarebytes
2011-04-03 21:44 . 2011-04-03 21:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-03 21:44 . 2010-12-20 17:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-03 21:09 . 2011-04-04 23:40 -------- d-----w- C:\recover
2011-04-03 20:58 . 2010-05-26 09:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-04-03 20:17 . 2011-04-03 20:17 -------- d-----w- c:\program files\Sophos
2011-04-03 10:30 . 2011-04-03 10:30 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2011-03-12 11:28 . 2011-03-12 11:28 103864 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-03 20:15 . 2009-08-18 10:30 564632 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\wlidui.dll
2011-04-03 20:15 . 2009-08-18 10:24 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2010-10-13 22:28 . 2010-08-11 21:12 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-18 6246400]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
.
c:\users\Fraser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Lynn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Spencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
c:\users\Trevor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-23 1295656]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-02-18 20:59 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-434816535-2944040570-4112479016-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 135664]
R3 {6F1A1DEF-B8F2-4C88-964CC95379657262};{6F1A1DEF-B8F2-4C88-964CC95379657262};c:\windows\System32\svchost.exe [2008-01-21 21504]
R3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\CF20.tmp [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 AERTFilters;Andrea RT Filters Service;c:\windows\system32\AERTSrv.exe [2008-07-18 73728]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
S1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-05-26 18816]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-23 155648]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
S2 RtNdPt60;Realtek NDIS Protocol Driver;c:\windows\system32\DRIVERS\RtNdPt60.sys [2008-07-21 27648]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-11-18 21744]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - UFDIIPOB
*Deregistered* - mfeavfk01
*Deregistered* - ufdiipob
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{6F1A1DEF-B8F2-4C88-964CC95379657262}
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 09:20]
.
2011-04-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-10 09:20]
.
2011-04-04 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-04-04 c:\windows\Tasks\RtlNICDiagVistaStart.job
- c:\program files\Realtek\RTNICDiag\RTNICDiag.exe [2009-02-18 11:18]
.
2011-04-04 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
2011-04-04 c:\windows\Tasks\User_Feed_Synchronization-{76DDD24A-BDC3-4125-8F2C-A7DE5913AF51}.job
- c:\windows\system32\msfeedssync.exe [2010-06-11 04:30]
.
2011-04-04 c:\windows\Tasks\User_Feed_Synchronization-{D58BD327-89B8-4938-BECF-ED07E573BA6F}.job
- c:\windows\system32\msfeedssync.exe [2010-06-11 04:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.orange.co.uk/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: cityandguilds.com\mymail1
FF - ProfilePath - c:\users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\38o4k2hg.default\
FF - prefs.js: browser.startup.homepage - hxxps://mymail1.cityandguilds.com/exchange/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ares - c:\users\Spencer\Ares\Ares.exe
HKLM-Run-dellsupportcenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
MSConfigStartUp-Cognac - c:\users\Lynn\AppData\Local\Temp\b.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-05 00:49
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\users\Trevor\AppData\Local\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\CF20.tmp"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{6F1A1DEF-B8F2-4C88-964CC95379657262}]
"ServiceDll"="c:\users\Trevor\AppData\Local\Temp\BA9.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,18,e3,f5,18,9f,cd,44,89,88,c6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7d,18,e3,f5,18,9f,cd,44,89,88,c6,\
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10o_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-04-05 00:51:14
ComboFix-quarantined-files.txt 2011-04-04 23:51
.
Pre-Run: 453,696,180,224 bytes free
Post-Run: 453,651,025,920 bytes free
.
- - End Of File - - 52074F05AD94CF1D3D6F85093CBD3173

sjf3, Apr 4, 2011

#11
Broni Malware Annihilator
Looks good now.

How is computer doing?

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Click the Scan All Users checkbox.

Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
Broni, Apr 4, 2011

#12
sjf3 Newcomer, in training

PC seems much better thanks, no bad popups or anything but windowsupdate still fails with error code 80070422

OTL logfile created on: 05/04/2011 19:59:19 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\recover
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 450.69 Gb Total Space | 422.44 Gb Free Space | 93.73% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 9.26 Gb Free Space | 61.74% Space Free | Partition Type: NTFS
Drive F: | 1.86 Gb Total Space | 1.61 Gb Free Space | 86.40% Space Free | Partition Type: FAT

Computer Name: TREVOR-PC | User Name: Trevor | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/04/05 19:35:40 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\recover\OTL.exe
PRC - [2011/01/17 16:15:32 | 000,822,560 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcupdate.exe
PRC - [2010/10/13 23:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
PRC - [2010/10/13 23:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
PRC - [2010/09/30 14:10:36 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2010/08/24 14:57:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
PRC - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
PRC - [2009/11/13 17:15:00 | 001,807,600 | ---- | M] () -- C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
PRC - [2009/04/11 07:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2008/09/23 23:09:52 | 001,295,656 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DellDock.exe
PRC - [2008/09/23 23:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/07/18 13:42:10 | 006,246,400 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe

========== Modules (SafeList) ==========

MOD - [2011/04/05 19:35:40 | 000,580,608 | ---- | M] (OldTimer Tools) -- C:\recover\OTL.exe
MOD - [2009/04/11 07:21:38 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- ({6F1A1DEF-B8F2-4C88-964CC95379657262})
SRV - [2010/10/13 23:28:54 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2010/10/13 23:28:54 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 22:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/08/24 14:57:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 10:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2009/02/18 21:59:02 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
SRV - [2008/09/23 23:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2008/07/18 13:42:08 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Disabled | Stopped] -- C:\Windows\System32\AERTSrv.exe -- (AERTFilters)
SRV - [2008/01/21 03:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)

========== Driver Services (SafeList) ==========

DRV - [2010/11/18 01:36:02 | 000,021,744 | ---- | M] (PC-Doctor, Inc.) [Kernel | On_Demand | Running] -- c:\Program Files\Dell Support Center\pcdsrvc.pkms -- (PCDSRVC{E9D79540-57D5953E-06020101}_0)
DRV - [2010/10/13 23:28:54 | 000,386,840 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2010/10/13 23:28:54 | 000,313,288 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2010/10/13 23:28:54 | 000,164,840 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
DRV - [2010/10/13 23:28:54 | 000,152,960 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2010/10/13 23:28:54 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2010/10/13 23:28:54 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2010/10/13 23:28:54 | 000,064,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
DRV - [2010/10/13 23:28:54 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
DRV - [2010/10/13 23:28:54 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/05/26 10:45:04 | 000,018,816 | ---- | M] (Sophos Plc) [Kernel | System | Running] -- C:\Windows\System32\SAVRKBootTasks.sys -- (SAVRKBootTasks)
DRV - [2008/07/21 12:18:20 | 000,027,648 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\RtNdPt60.sys -- (RtNdPt60)
DRV - [2008/07/10 12:28:50 | 000,123,904 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rtlh86.sys -- (RTL8169)
DRV - [2008/06/13 12:34:12 | 003,592,704 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2008/06/13 12:34:12 | 003,592,704 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2008/01/21 03:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2007/05/11 17:31:36 | 003,580,832 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 5000(UVC)
DRV - [2007/05/11 17:31:22 | 000,041,888 | ---- | M] (Logitech Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-434816535-2944040570-4112479016-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/
IE - HKU\S-1-5-21-434816535-2944040570-4112479016-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 2
IE - HKU\S-1-5-21-434816535-2944040570-4112479016-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "https://mymail1.cityandguilds.com/exchange/"

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/11/05 04:03:55 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/04/03 23:53:04 | 000,000,000 | ---D | M]

[2009/03/04 22:05:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Trevor\AppData\Roaming\Mozilla\Extensions
[2009/03/04 22:05:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\38o4k2hg.default\extensions
[2011/04/03 23:34:55 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2009/08/22 13:48:28 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2010/10/13 23:28:54 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Mozilla Firefox\components\Scriptff.dll
[2008/01/04 16:36:50 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2008/01/04 16:36:50 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2008/09/22 20:14:04 | 000,000,759 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2008/01/04 16:36:50 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2011/04/05 00:49:21 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101105030355.dll (McAfee, Inc.)
O4 - HKLM..\Run: [Dell DataSafe Online] C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe (Advanced Micro Devices, Inc.)
O4 - Startup: C:\Users\Fraser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Lynn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Spencer\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-434816535-2944040570-4112479016-1000\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-434816535-2944040570-4112479016-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
O15 - HKU\S-1-5-21-434816535-2944040570-4112479016-1000\..Trusted Domains: cityandguilds.com ([mymail1] https in Trusted sites)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1281466038603 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1281466084214 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\x-excid {9D6CC632-1337-4a33-9214-2DA092E776F4} - c:\Windows\Downloaded Program Files\mimectl.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\dellwall1.jpg
O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\dellwall1.jpg
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 22:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - File not found
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: {6F1A1DEF-B8F2-4C88-964CC95379657262} - File not found

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
Drivers32: vidc.i420 - C:\Windows\System32\lvcodec2.dll (Logitech Inc.)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/04/05 19:28:59 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\McAfee
[2011/04/05 00:51:18 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
[2011/04/05 00:51:16 | 000,000,000 | ---D | C] -- C:\Windows\temp
[2011/04/05 00:51:16 | 000,000,000 | ---D | C] -- C:\Users\Trevor\AppData\Local\temp
[2011/04/05 00:41:07 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
[2011/04/04 19:36:06 | 000,000,000 | R--D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Support Center
[2011/04/04 19:31:00 | 000,000,000 | ---D | C] -- C:\Users\Trevor\AppData\Roaming\PCDr
[2011/04/03 22:45:03 | 000,000,000 | ---D | C] -- C:\Users\Trevor\AppData\Roaming\Malwarebytes
[2011/04/03 22:44:57 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2011/04/03 22:44:57 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2011/04/03 22:44:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2011/04/03 22:44:53 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2011/04/03 22:44:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2011/04/03 22:24:22 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
[2011/04/03 22:24:22 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
[2011/04/03 22:24:22 | 000,031,232 | ---- | C] (NirSoft) -- C:\Windows\NIRCMD.exe
[2011/04/03 22:24:18 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
[2011/04/03 22:15:30 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/04/03 22:09:03 | 000,000,000 | ---D | C] -- C:\recover
[2011/04/03 21:58:37 | 000,018,816 | ---- | C] (Sophos Plc) -- C:\Windows\System32\SAVRKBootTasks.sys
[2011/04/03 21:17:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
[2011/04/03 21:17:18 | 000,000,000 | ---D | C] -- C:\Program Files\Sophos
[2011/04/03 18:38:54 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2011/04/03 11:30:10 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard

========== Files - Modified Within 30 Days ==========

[2011/04/05 19:59:59 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{76DDD24A-BDC3-4125-8F2C-A7DE5913AF51}.job
[2011/04/05 19:58:00 | 000,000,420 | -H-- | M] () -- C:\Windows\tasks\User_Feed_Synchronization-{D58BD327-89B8-4938-BECF-ED07E573BA6F}.job
[2011/04/05 19:47:47 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/04/05 19:31:47 | 000,611,664 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2011/04/05 19:31:47 | 000,109,112 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2011/04/05 19:28:59 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2011/04/05 19:28:47 | 000,000,276 | ---- | M] () -- C:\Windows\tasks\RtlNICDiagVistaStart.job
[2011/04/05 19:27:23 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2011/04/05 19:27:23 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2011/04/05 19:27:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2011/04/05 00:49:21 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2011/04/05 00:32:26 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2011/04/04 19:42:26 | 000,000,564 | ---- | M] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/03 23:53:04 | 000,001,889 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2011/04/03 22:42:10 | 000,001,032 | -HS- | M] () -- C:\ProgramData\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.svs
[2011/04/03 21:10:17 | 261,143,016 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2011/04/02 09:33:25 | 000,001,818 | ---- | M] () -- C:\Users\Trevor\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Tool.lnk
[2011/03/26 14:38:00 | 000,000,724 | ---- | M] () -- C:\Users\Trevor\AppData\Roaming\wklnhst.dat
[2011/03/10 18:18:45 | 000,011,264 | ---- | M] () -- C:\Users\Trevor\Documents\Monthly Bills.xlr

========== Files Created - No Company Name ==========

[2011/04/04 19:36:41 | 000,000,564 | ---- | C] () -- C:\Windows\tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/04 19:36:40 | 000,000,422 | ---- | C] () -- C:\Windows\tasks\SystemToolsDailyTest.job
[2011/04/03 22:24:22 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
[2011/04/03 22:24:22 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
[2011/04/03 22:24:22 | 000,089,088 | ---- | C] () -- C:\Windows\MBR.exe
[2011/04/03 22:24:22 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
[2011/04/03 22:24:22 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
[2011/04/03 18:38:49 | 261,143,016 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2011/04/02 09:33:28 | 000,001,032 | -HS- | C] () -- C:\ProgramData\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.svs
[2011/04/02 09:33:25 | 000,001,818 | ---- | C] () -- C:\Users\Trevor\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Tool.lnk
[2010/12/03 18:31:43 | 000,004,608 | ---- | C] () -- C:\Users\Trevor\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/09/11 08:50:58 | 000,000,120 | ---- | C] () -- C:\Users\Trevor\AppData\Local\Scihulivihanofow.dat
[2010/09/11 08:50:58 | 000,000,000 | ---- | C] () -- C:\Users\Trevor\AppData\Local\Ygagunifusiz.bin
[2009/12/11 11:46:36 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/12/11 11:46:36 | 000,107,612 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchema.bin
[2009/08/03 16:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/08/03 16:07:42 | 000,230,768 | ---- | C] () -- C:\Windows\System32\OGAEXEC.exe
[2009/05/18 19:14:42 | 000,000,097 | ---- | C] () -- C:\Windows\System32\PICSDK.ini
[2009/05/18 19:14:41 | 000,111,932 | ---- | C] () -- C:\Windows\System32\EPPICPrinterDB.dat
[2009/05/18 19:14:41 | 000,031,053 | ---- | C] () -- C:\Windows\System32\EPPICPattern131.dat
[2009/05/18 19:14:41 | 000,027,417 | ---- | C] () -- C:\Windows\System32\EPPICPattern121.dat
[2009/05/18 19:14:41 | 000,026,154 | ---- | C] () -- C:\Windows\System32\EPPICPattern1.dat
[2009/05/18 19:14:41 | 000,024,903 | ---- | C] () -- C:\Windows\System32\EPPICPattern3.dat
[2009/05/18 19:14:41 | 000,021,390 | ---- | C] () -- C:\Windows\System32\EPPICPattern5.dat
[2009/05/18 19:14:41 | 000,020,148 | ---- | C] () -- C:\Windows\System32\EPPICPattern2.dat
[2009/05/18 19:14:41 | 000,011,811 | ---- | C] () -- C:\Windows\System32\EPPICPattern4.dat
[2009/05/18 19:14:41 | 000,004,943 | ---- | C] () -- C:\Windows\System32\EPPICPattern6.dat
[2009/05/18 19:14:41 | 000,001,146 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_DU.dat
[2009/05/18 19:14:41 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_PT.dat
[2009/05/18 19:14:41 | 000,001,139 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_BP.dat
[2009/05/18 19:14:41 | 000,001,136 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_ES.dat
[2009/05/18 19:14:41 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_FR.dat
[2009/05/18 19:14:41 | 000,001,129 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_CF.dat
[2009/05/18 19:14:41 | 000,001,120 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_IT.dat
[2009/05/18 19:14:41 | 000,001,107 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_GE.dat
[2009/05/18 19:14:41 | 000,001,104 | ---- | C] () -- C:\Windows\System32\EPPICPresetData_EN.dat
[2009/05/18 19:11:14 | 000,000,025 | ---- | C] () -- C:\Windows\CDE SX200DEFGIPS.ini
[2009/03/08 18:14:17 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/02/26 18:44:20 | 000,000,724 | ---- | C] () -- C:\Users\Trevor\AppData\Roaming\wklnhst.dat
[2009/02/23 16:43:43 | 000,008,248 | ---- | C] () -- C:\Users\Trevor\AppData\Local\en.ini
[2009/02/19 05:28:50 | 003,107,788 | ---- | C] () -- C:\Windows\System32\atiumdva.dat
[2009/02/19 05:28:50 | 000,168,883 | ---- | C] () -- C:\Windows\System32\atiicdxx.dat
[2009/02/19 05:28:50 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2009/02/19 05:28:50 | 000,090,112 | ---- | C] () -- C:\Windows\System32\atibrtmon.exe
[2009/02/19 05:28:50 | 000,081,920 | ---- | C] () -- C:\Windows\System32\ATIODE.exe
[2009/02/19 05:28:50 | 000,040,960 | ---- | C] () -- C:\Windows\System32\ATIODCLI.exe
[2009/02/19 05:25:44 | 000,018,904 | ---- | C] () -- C:\Windows\System32\StructuredQuerySchemaTrivial.bin
[2009/02/18 21:35:08 | 000,000,000 | ---- | C] () -- C:\Windows\ativpsrm.bin
[2007/05/11 16:12:54 | 000,057,126 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2006/11/02 13:57:28 | 000,067,584 | --S- | C] () -- C:\Windows\bootstat.dat
[2006/11/02 13:47:37 | 000,332,560 | ---- | C] () -- C:\Windows\System32\FNTCACHE.DAT
[2006/11/02 13:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 11:33:01 | 000,611,664 | ---- | C] () -- C:\Windows\System32\perfh009.dat
[2006/11/02 11:33:01 | 000,287,440 | ---- | C] () -- C:\Windows\System32\perfi009.dat
[2006/11/02 11:33:01 | 000,109,112 | ---- | C] () -- C:\Windows\System32\perfc009.dat
[2006/11/02 11:33:01 | 000,030,674 | ---- | C] () -- C:\Windows\System32\perfd009.dat
[2006/11/02 11:23:21 | 000,215,943 | ---- | C] () -- C:\Windows\System32\dssec.dat
[2006/11/02 09:58:30 | 000,043,131 | ---- | C] () -- C:\Windows\mib.bin
[2006/11/02 09:19:00 | 000,000,741 | ---- | C] () -- C:\Windows\System32\NOISE.DAT
[2006/11/02 08:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 08:25:31 | 000,673,088 | ---- | C] () -- C:\Windows\System32\mlang.dat
[2003/01/07 16:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI

========== LOP Check ==========

[2009/02/25 23:11:51 | 000,000,000 | ---D | M] -- C:\Users\Fraser\AppData\Roaming\Template
[2010/10/25 18:38:51 | 000,000,000 | ---D | M] -- C:\Users\Spencer\AppData\Roaming\Laza
[2009/02/23 17:46:11 | 000,000,000 | ---D | M] -- C:\Users\Spencer\AppData\Roaming\Template
[2010/10/31 10:43:59 | 000,000,000 | ---D | M] -- C:\Users\Spencer\AppData\Roaming\Ymxe
[2011/04/04 19:32:45 | 000,000,000 | ---D | M] -- C:\Users\Trevor\AppData\Roaming\PCDr
[2009/02/26 18:44:21 | 000,000,000 | ---D | M] -- C:\Users\Trevor\AppData\Roaming\Template
[2011/04/04 19:42:26 | 000,000,564 | ---- | M] () -- C:\Windows\Tasks\PCDoctorBackgroundMonitorTask.job
[2011/04/05 19:28:47 | 000,000,276 | ---- | M] () -- C:\Windows\Tasks\RtlNICDiagVistaStart.job
[2011/04/05 01:02:18 | 000,032,648 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT
[2011/04/05 19:47:47 | 000,000,422 | ---- | M] () -- C:\Windows\Tasks\SystemToolsDailyTest.job
[2011/04/05 19:59:59 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{76DDD24A-BDC3-4125-8F2C-A7DE5913AF51}.job
[2011/04/05 19:58:00 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{D58BD327-89B8-4938-BECF-ED07E573BA6F}.job

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2006/09/18 22:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
[2010/05/23 11:28:52 | 000,386,560 | ---- | M] () -- C:\Baseline Standard Candidate Forms (SELEX COMMS) Issue 2.doc
[2010/05/28 09:24:13 | 000,136,192 | ---- | M] () -- C:\BASILDON Pre employment Medical Questionnaire.doc
[2009/04/11 07:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
[2010/05/09 11:28:26 | 000,008,704 | ---- | M] () -- C:\C&G Letter 070510.wps
[2009/12/04 11:45:43 | 000,030,720 | ---- | M] () -- C:\C&G letter_041209.wps
[2009/08/23 11:49:43 | 000,009,216 | ---- | M] () -- C:\C&G letter_230809.wps
[2011/04/05 00:51:15 | 000,014,780 | ---- | M] () -- C:\ComboFix.txt
[2006/09/18 22:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
[2011/03/06 10:59:08 | 000,029,184 | ---- | M] () -- C:\Cover letter Byways_060311.doc
[2010/05/11 15:08:41 | 000,057,344 | ---- | M] () -- C:\Cover letter Odgers_110410.doc
[2011/02/28 20:40:18 | 000,025,600 | ---- | M] () -- C:\Cover letter WNS_280211.doc
[2010/05/11 12:13:34 | 000,057,344 | ---- | M] () -- C:\Cover letterCIE_110510.doc
[2010/03/12 18:03:14 | 000,057,856 | ---- | M] () -- C:\Cover letter_120310.doc
[2009/11/20 12:55:52 | 000,045,568 | ---- | M] () -- C:\CV.181009.doc
[2010/06/04 07:45:38 | 000,008,704 | ---- | M] () -- C:\Davies letter_040610.wps
[2009/02/19 05:29:01 | 000,004,528 | RH-- | M] () -- C:\dell.sdr
[2010/12/03 19:31:34 | 000,039,424 | ---- | M] () -- C:\Fraser CV_031210.doc
[2010/04/25 11:57:36 | 000,041,472 | ---- | M] () -- C:\Fraser CV_040908.doc
[2011/02/26 14:27:08 | 000,042,496 | ---- | M] () -- C:\Fraser CV_260211.doc
[2010/01/10 08:43:21 | 000,010,240 | ---- | M] () -- C:\Haydens letter_100110.wps
[2009/11/27 09:58:59 | 000,071,680 | ---- | M] () -- C:\Head of International Sales v5 5-10-05.DOC
[2010/04/19 12:17:13 | 007,489,797 | ---- | M] () -- C:\Idec User Guide.pdf
[2010/04/15 13:23:10 | 000,193,024 | ---- | M] () -- C:\Interview CA Presentation.ppt
[2010/04/09 18:56:44 | 000,077,824 | ---- | M] () -- C:\Interview Task(v4).doc
[2009/11/22 23:45:10 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/11/22 23:45:10 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2010/06/12 14:44:49 | 000,156,672 | ---- | M] () -- C:\Normal.dot
[2011/04/05 19:27:14 | 2460,430,336 | -HS- | M] () -- C:\pagefile.sys
[2011/04/05 00:37:28 | 000,000,370 | ---- | M] () -- C:\rkill.log
[2010/05/23 09:03:43 | 000,135,680 | ---- | M] () -- C:\SELEX_Bank Account Details.doc
[2010/05/23 09:05:29 | 000,081,408 | ---- | M] () -- C:\SELEX_Computor Usage Form.doc
[2010/05/23 08:58:45 | 000,140,288 | ---- | M] () -- C:\SELEX_Personal details.doc
[2010/04/25 12:05:47 | 000,027,648 | ---- | M] () -- C:\Spencer CV4.doc
[2010/04/29 06:47:35 | 000,054,784 | ---- | M] () -- C:\TBCV(V3)_120310.doc
[2010/04/29 07:38:42 | 000,050,688 | ---- | M] () -- C:\TBCV(V4)_290410.doc
[2010/05/11 11:22:03 | 000,050,688 | ---- | M] () -- C:\TBCV(V5)_110510.doc
[2011/04/03 22:44:26 | 000,060,342 | ---- | M] () -- C:\TDSSKiller.2.4.21.0_03.04.2011_22.43.36_log.txt
[2010/06/27 11:25:27 | 000,000,051 | ---- | M] () -- C:\wanadoo network key.txt

< %systemroot%\Fonts\*.com >
[2006/11/02 13:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 13:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 13:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2009/12/23 12:29:31 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2006/09/18 22:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/11/02 10:46:04 | 000,032,768 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\Windows\System32\spool\prtprocs\w32x86\EP0NPP01.DLL
[2006/11/02 13:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll
[2007/04/09 14:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\mdippr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2009/07/10 13:15:46 | 000,306,544 | ---- | M] (Microsoft Corporation) -- C:\Windows\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >
[2008/01/21 03:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2008/01/21 04:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
[2008/01/21 04:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
[2008/01/21 04:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
[2006/11/02 11:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
[2006/11/02 11:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2010/09/05 10:35:52 | 000,000,286 | -HS- | M] () -- C:\Users\Trevor\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2009/02/23 14:56:14 | 000,000,402 | -HS- | M] () -- C:\Users\Trevor\Favorites\desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2011/04/02 09:33:24 | 000,025,214 | -HS- | M] () -- C:\ProgramData\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.ico
[2011/04/03 22:42:10 | 000,001,032 | -HS- | M] () -- C:\ProgramData\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.svs

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< End of report >

sjf3, Apr 5, 2011

#13
sjf3 Newcomer, in training

OTL Extras logfile created on: 05/04/2011 19:59:19 - Run 1
OTL by OldTimer - Version 3.2.22.3 Folder = C:\recover
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18928)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 3.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 450.69 Gb Total Space | 422.44 Gb Free Space | 93.73% Space Free | Partition Type: NTFS
Drive D: | 15.00 Gb Total Space | 9.26 Gb Free Space | 61.74% Space Free | Partition Type: NTFS
Drive F: | 1.86 Gb Total Space | 1.61 Gb Free Space | 86.40% Space Free | Partition Type: FAT

Computer Name: TREVOR-PC | User Name: Trevor | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-434816535-2944040570-4112479016-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{2E984798-6F79-4785-8A6D-625666FDF258}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{33B5B645-391B-4B79-AA3F-F5496C876482}" = lport=2869 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{0CC507D6-F2A5-434A-B8AD-7A46831655E9}" = dir=in | app=c:\program files\windows live\sync\windowslivesync.exe |
"{1EDB2F32-BAF8-4DE4-8E1E-7AF5BD1B5A0B}" = protocol=6 | dir=in | app=c:\windows\system32\rundll32.exe |
"{4B013513-7DDF-4026-BFB1-7AC26B35BF3F}" = protocol=6 | dir=in | app=c:\windows\system32\rundll32.exe |
"{55D6D5D9-7F03-4B0C-9480-89D6C2915B82}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{688A15B6-E677-469C-9616-81F292794DA3}" = protocol=17 | dir=in | app=c:\windows\system32\rundll32.exe |
"{70E50594-9FF7-40B0-BC52-3493038384BA}" = dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
"{97AD5D27-BD12-451F-8359-FE70B80AFD23}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{C3DE574A-900A-4E6A-B246-CBCF1975F6D4}" = protocol=17 | dir=in | app=c:\windows\system32\rundll32.exe |
"TCP Query User{1FB045EB-83BA-41F0-AB10-0A0FAA6A54D9}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{553DBC4F-43A3-479C-AB16-3959A0F53A35}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe |
"TCP Query User{6F845FAC-1700-468C-AA93-1FCC09A6E440}C:\windows\explorer.exe" = protocol=6 | dir=in | app=c:\windows\explorer.exe |
"TCP Query User{857BFBEE-77E6-492E-8CC6-C33B9FC24098}C:\windows\system32\taskeng.exe" = protocol=6 | dir=in | app=c:\windows\system32\taskeng.exe |
"TCP Query User{C778CEB0-5AC7-45F5-BD65-F30AD37655C5}C:\users\spencer\ares\ares.exe" = protocol=6 | dir=in | app=c:\users\spencer\ares\ares.exe |
"TCP Query User{D828A302-440A-4CB5-8C41-813B17213146}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{0AB63A6A-D056-447F-98F9-A1C1A314A9AA}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe |
"UDP Query User{0E3117ED-C7BA-465D-86EF-22C27F8B95B3}C:\windows\system32\taskeng.exe" = protocol=17 | dir=in | app=c:\windows\system32\taskeng.exe |
"UDP Query User{135D3D2A-42FA-4F8A-99BD-8B2B5A15772F}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{80655C4A-3E2D-4B1E-9884-82002B9BE7AA}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |
"UDP Query User{8797DC37-AA11-48D8-B540-A04945551706}C:\users\spencer\ares\ares.exe" = protocol=17 | dir=in | app=c:\users\spencer\ares\ares.exe |
"UDP Query User{C6023746-E43D-40E5-963A-D95A5C0CC18B}C:\windows\explorer.exe" = protocol=17 | dir=in | app=c:\windows\explorer.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0090A87C-3E0E-43D4-AA71-A71B06563A4A}" = Dell Support Center
"{03B25762-461B-22C8-9AF0-170F3D749061}" = Catalyst Control Center Graphics Previews Vista
"{03BF49A6-A643-A836-0732-2467E9A6B911}" = Catalyst Control Center Localization Korean
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}" = Windows Live ID Sign-in Assistant
"{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
"{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
"{0AC7F464-85E9-337D-B100-DC178C14A699}" = Catalyst Control Center Core Implementation
"{0BC1B842-C298-99E6-D0A8-FA3B33A07C5C}" = Catalyst Control Center Localization German
"{0BF215E3-C97F-7BF3-96D0-9C7D3F5FF9B4}" = Catalyst Control Center Localization Chinese Traditional
"{0D1303D7-3918-3014-E119-33DBB649BE86}" = Catalyst Control Center Localization Spanish
"{13766F76-6C8C-4E57-A9F3-3212D1C6E0D1}" = Dell DataSafe Online
"{138BF761-BFAA-29BB-B755-91262DE91A19}" = ccc-core-static
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{162981A5-050A-3DDA-2477-49724E334DEF}" = CCC Help Spanish
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
"{1FECF5F8-8E75-432C-9FF7-1C04F1956B54}" = Realtek Ethernet Network Card Diagnostic tool for Windows Vista
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{276B965A-AC01-955C-E678-C8D25C58A42B}" = Catalyst Control Center Graphics Previews Common
"{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}" = EPSON Scan Assistant
"{2B83C858-A352-1E5D-0052-C326C815F3C4}" = CCC Help Japanese
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3D5044A5-97B8-45C0-B956-BB2376569188}" = Windows Live Movie Maker
"{42EDF895-158C-484E-A7F2-42B90759F281}" = Camera RAW Plug-In for EPSON Creativity Suite
"{46CBBDF8-55B5-40DB-B459-7B848394309C}" = EPSON File Manager
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{5370D92F-CF5A-4A38-DE84-151F9F58BCB2}" = Catalyst Control Center Localization Italian
"{56CDA83B-BC0B-A4A7-BD48-1176A6C97033}" = Catalyst Control Center Graphics Light
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{63EB4545-0CB5-35FE-D20C-F8E6995703F3}" = Catalyst Control Center Localization French
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
"{6CF08AD2-00C5-4A63-B74B-2EFFFAFEBE1A}" = Microsoft Outlook Web Access S/MIME
"{712A51A2-68F2-17D2-E3EB-C199DA0E0BE0}" = Catalyst Control Center Localization Portuguese
"{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{88477E65-A679-2CAE-645A-5073ED86715B}" = CCC Help Portuguese
"{88DCB080-7A56-5697-4407-21BD03DCE401}" = Catalyst Control Center Graphics Full New
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A8F8391-4C2C-4BE1-A984-CD4A5A546467}" = EPSON Easy Photo Print
"{8AC7ACAD-10E5-E7F4-481A-29C4C8B19990}" = Catalyst Control Center Graphics Full Existing
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90850409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Word Viewer 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{99D8CE0E-20C7-3761-5F90-0E1329A55824}" = CCC Help Hungarian
"{9C2F79E2-4B21-E840-CF5B-FF1EE52E5B9F}" = Catalyst Control Center Localization Chinese Standard
"{A029AD64-F8F2-09AD-E29B-623B4BBF872C}" = CCC Help French
"{A09B8374-BD00-63EB-9616-E624A44EF877}" = CCC Help German
"{A28D08AE-3FBD-EBDB-BA28-CE719F699E48}" = CCC Help Chinese Standard
"{A3111537-BA7A-C129-1E6B-E2C77DCA3AD2}" = CCC Help Italian
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-A94000000001}" = Adobe Reader 9.4.3
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B2050314-D2DF-6589-E155-5E4E8F8AB3D4}" = Catalyst Control Center Localization Turkish
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
"{B935C985-A17F-484B-8470-09E4FC27DC26}" = Dell-eBay
"{C2112C02-1BCA-A86F-F6E1-264CCE43F451}" = CCC Help Chinese Traditional
"{C2D541C2-B516-B049-EC3F-41B7A8E1C72D}" = ccc-utility
"{C39A4E1F-9AF1-4FE1-A80E-A5B867FABB42}" = Dell Best of Web
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}" = Apple Mobile Device Support
"{CDA2EBE1-999C-48FB-DF9A-81C789900BFF}" = CCC Help Turkish
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D68F16A7-9447-8A92-7EF3-A4E26B2A95EE}" = CCC Help English
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{DE27264D-7CA0-3317-7192-C64F0B7D9AB3}" = Catalyst Control Center Localization Japanese
"{E044161D-75F5-3EC5-2BDA-42D106E602D2}" = CCC Help Korean
"{E112EC9E-B411-F3E0-EF02-C0D21C09F329}" = Catalyst Control Center Localization Hungarian
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{EA778E78-0B7B-05AE-A72F-AF484D201DFB}" = Skins
"{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}" = Microsoft Office Live Add-in 1.5
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F6CB42B9-F033-4152-8813-FF11DA8E6A78}" = Dell Dock
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Dell Support Center" = Dell Support Center
"EPSON Scanner" = EPSON Scan
"EPSON Stylus SX200 Series" = EPSON Stylus SX200 Series Printer Uninstall
"EPSON Stylus SX200_SX400_TX200_TX400 User’s Guide" = EPSON Stylus SX200_SX400_TX200_TX400 Manual
"Google Chrome" = Google Chrome
"GoToAssist" = GoToAssist 8.0.0.514
"InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5}" = EPSON Attach To Email
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.0.6)" = Mozilla Firefox (3.0.6)
"MSC" = McAfee SecurityCenter
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.4
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 03/04/2011 06:32:00 | Computer Name = Trevor-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\QuickTime\QuickTimePlayer.exe".
Dependent
Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 03/04/2011 12:27:13 | Computer Name = Trevor-PC | Source = WinMgmt | ID = 10
Description =

Error - 03/04/2011 12:58:01 | Computer Name = Trevor-PC | Source = WinMgmt | ID = 10
Description =

Error - 03/04/2011 13:31:13 | Computer Name = Trevor-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\QuickTime\QuickTimePlayer.exe".
Dependent
Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 03/04/2011 13:40:37 | Computer Name = Trevor-PC | Source = WinMgmt | ID = 10
Description =

Error - 03/04/2011 13:40:46 | Computer Name = Trevor-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 03/04/2011 13:40:46 | Computer Name = Trevor-PC | Source = Windows Search Service | ID = 3013
Description =

Error - 03/04/2011 14:05:14 | Computer Name = Trevor-PC | Source = WinMgmt | ID = 10
Description =

Error - 03/04/2011 14:08:19 | Computer Name = Trevor-PC | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "C:\Program Files\QuickTime\QuickTimePlayer.exe".
Dependent
Assembly Microsoft.VC80.CRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50727.4053"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 03/04/2011 14:08:20 | Computer Name = Trevor-PC | Source = EventSystem | ID = 4609
Description =

[ Media Center Events ]
Error - 09/07/2009 06:40:26 | Computer Name = Trevor-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

Error - 14/02/2010 16:08:52 | Computer Name = Trevor-PC | Source = Media Center Guide | ID = 0
Description = Event Info: ERROR: SqmApiWrapper.TimerRecord failed; Win32 GetLastError
returned 10000105 Process: DefaultDomain Object Name: Media Center Guide

[ System Events ]
Error - 03/04/2011 18:45:28 | Computer Name = Trevor-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 03/04/2011 18:53:07 | Computer Name = Trevor-PC | Source = DCOM | ID = 10005
Description =

Error - 03/04/2011 18:53:08 | Computer Name = Trevor-PC | Source = Service Control Manager | ID = 7009
Description =

Error - 03/04/2011 18:53:08 | Computer Name = Trevor-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 03/04/2011 19:17:57 | Computer Name = Trevor-PC | Source = volsnap | ID = 393236
Description = The shadow copies of volume C: were aborted because of a failed free
space computation.

Error - 04/04/2011 15:49:04 | Computer Name = Trevor-PC | Source = DCOM | ID = 10010
Description =

Error - 04/04/2011 19:32:17 | Computer Name = Trevor-PC | Source = Service Control Manager | ID = 7011
Description =

Error - 04/04/2011 19:43:00 | Computer Name = Trevor-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 04/04/2011 19:46:21 | Computer Name = Trevor-PC | Source = Service Control Manager | ID = 7030
Description =

Error - 04/04/2011 19:49:23 | Computer Name = Trevor-PC | Source = Service Control Manager | ID = 7030
Description =

< End of report >

sjf3, Apr 5, 2011

#14
Broni Malware Annihilator
1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

=====================================================================

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code:

:OTL SRV - File not found [On_Demand | Stopped] -- -- ({6F1A1DEF-B8F2-4C88-964CC95379657262}) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O15 - HKU\S-1-5-21-434816535-2944040570-4112479016-1000\..Trusted Domains: cityandguilds.com ([mymail1] https in Trusted sites) O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found NetSvcs: {6F1A1DEF-B8F2-4C88-964CC95379657262} - File not found [2011/04/02 09:33:28 | 000,001,032 | -HS- | C] () -- C:\ProgramData\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.svs [2010/09/11 08:50:58 | 000,000,120 | ---- | C] () -- C:\Users\Trevor\AppData\Local\Scihulivihanofow.dat [2010/09/11 08:50:58 | 000,000,000 | ---- | C] () -- C:\Users\Trevor\AppData\Local\Ygagunifusiz.bin [2011/04/02 09:33:24 | 000,025,214 | -HS- | M] () -- C:\ProgramData\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.ico :Commands [purity] [emptytemp] [emptyflash] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

You will get a log that shows the results of the fix. Please post it.

======================================================================

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.

Double-click SecurityCheck.exe

Follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Download Temp File Cleaner (TFC)

Double click on TFC.exe to run the program.

Click on Start button to begin cleaning process.

TFC will close all running programs, and it may ask you to restart computer.

3. Please run a free online scan with the ESET Online Scanner

Disable your antivirus program

Tick the box next to YES, I accept the Terms of Use

Click Start

IMPORTANT! UN-check Remove found threats

Accept any security warnings from your browser.

Check Scan archives

Click Start

ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

When the scan completes, push List of found threats

Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

NOTE. If Eset won't find any threats, it won't produce any log.
Broni, Apr 5, 2011

#15
sjf3 Newcomer, in training

Results of screen317's Security Check version 0.99.7
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
McAfee SecurityCenter
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 7
Out of date Java installed!
Adobe Flash Player 10.0.45.2
Adobe Reader 9.4.3
Out of date Adobe Reader installed!
Mozilla Firefox (3.0.6) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
``````````End of Log````````````

sjf3, Apr 6, 2011

#16
sjf3 Newcomer, in training

C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Win32/Mebroot.mbr trojan
C:\Qoobox\Quarantine\C\ProgramData\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.dat.vir a variant of Win32/Adware.AntimalwareDefender.E application

sjf3, Apr 6, 2011

#17
Broni Malware Annihilator
You didn't follow on updating Java and running JavaRa to remove old version.
Please, do it now.

Update Firefox to the latest 4.0 version.

Update Adobe Reader

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:

:OTL :Commands [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

Then click the Run Fix button at the top

Let the program run unhindered, reboot the PC when it is done

Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

Double-click OTL.exe to start the program.

Close all other programs apart from OTL as this step will require a reboot

On the OTL main screen, press the CLEANUP button

Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how your computer is doing.
Broni, Apr 6, 2011

#18
sjf3 Newcomer, in training

I have now updated java and run javara and the OTL script you gave me before, here is the log

All processes killed
========== OTL ==========
Service {6F1A1DEF-B8F2-4C88-964CC95379657262} stopped successfully!
Service {6F1A1DEF-B8F2-4C88-964CC95379657262} deleted successfully!
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry key HKEY_USERS\S-1-5-21-434816535-2944040570-4112479016-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cityandguilds.com\mymail1\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
{6F1A1DEF-B8F2-4C88-964CC95379657262} removed from NetSvcs value successfully!
C:\ProgramData\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.svs moved successfully.
C:\Users\Trevor\AppData\Local\Scihulivihanofow.dat moved successfully.
C:\Users\Trevor\AppData\Local\Ygagunifusiz.bin moved successfully.
C:\ProgramData\5c54d9f8-09c1-4c04-aa57-1c76128b1bf0kmvdwikgt8bk9YGEs8wcQx3zBy11.ico moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Fraser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Lynn
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Spencer
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Trevor
->Temp folder emptied: 553800 bytes
->Temporary Internet Files folder emptied: 25829496 bytes
->Java cache emptied: 3992 bytes
->FireFox cache emptied: 6899814 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 456 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 32.00 mb

[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Fraser
->Flash cache emptied: 0 bytes

User: Lynn
->Flash cache emptied: 0 bytes

User: Public

User: Spencer
->Flash cache emptied: 0 bytes

User: Trevor
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb

OTL by OldTimer - Version 3.2.22.3 log created on 04062011_231534

Files\Folders moved on Reboot...
File\Folder C:\Users\Trevor\AppData\Local\Temp\~DF22F5.tmp not found!
File\Folder C:\Users\Trevor\AppData\Local\Temp\~DF2300.tmp not found!
File\Folder C:\Users\Trevor\AppData\Local\Temp\~DF2355.tmp not found!
File\Folder C:\Users\Trevor\AppData\Local\Temp\~DF2360.tmp not found!
C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N03TYW36\crosspixel-dest[1].htm moved successfully.
C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N03TYW36\topic163359[1].html moved successfully.
C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AV1D10S4\net[1].htm moved successfully.
C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6JF39R8U\ads[3].htm moved successfully.
C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6JF39R8U\sh37[1].html moved successfully.
C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.

Registry entries deleted on Reboot...

sjf3, Apr 6, 2011

#19
Broni Malware Annihilator

12. Please, let me know, how your computer is doing.

Whenever ready.....

Broni, Apr 6, 2011

#20

(You must log in or sign up to reply here.)

Page 1 of 2

Thread Status:: Not open for further replies.

TechSpot | Technology News and Analysis
Copyright © 1998-2012, TechSpot, Inc.
Forum software by XenForo™
TechSpot is a registered trademark
All Rights Reserved