TechSpot

IE stops working, Data Execution Preventer closes it

By brothwpj79
Oct 31, 2010
  1. In a moment of madness my girlfriend followed a link to download a photo from a private message in Facebook from one of her friends.

    Since then whenever she opens IE it stops working, searched for a solution which is not forthcoming, after which a message opens advising that Data Execution Preventer closed IE.

    I'm pretty sure I've followed as many of the 8 steps possible, so attach the relevant logs.

    Please let me know if there is some documentation missing, and if you can resolve this, any help would be much appreciated.

    Cheers, Pete
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
  3. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    Thanks Broni

    Here we go then...

    Step 1: Antivirus scanning

    Completed - McAfee Internet Security reported no problems.
    *****

    Step 2: Temporary File Cleaner

    Completed
    *****

    Step 3: Malwarebytes Anti-Malware

    Completed - no restart required, log as follows:


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 5009

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18975

    31/10/2010 23:11:43
    mbam-log-2010-10-31 (23-11-43).txt

    Scan type: Quick scan
    Objects scanned: 1
    Time elapsed: 4 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    *****

    Step 4: GMER

    Completed - log as follows in the next three posts
     
  4. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-31 22:47:58
    Windows 6.0.6002 Service Pack 2
    Running: rtkfy5oh.exe; Driver: C:\Users\Nicky\AppData\Local\Temp\kglcqpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x90DA2FE4]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x90DA3996]
    SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys ZwCreateThread [0x91003864]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x90DA3AF6]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x90DA736C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x90DA739E]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x90DA7500]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x90DA3A5A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x90DA3128]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x90DA331A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x90DA344C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x90DA7476]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x90DA73E0]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x90DA7412]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x90DA7444]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x90DA2F8A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x90DA3B56]
    SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys ZwSetValueKey [0x9100382E]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x90DA2F26]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0x90DA2E7A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x90DA2EC2]
    SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys ZwCreateThreadEx [0x910038DC]

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8BF48068]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8BF4807E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8BF48054]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8423F9D2 5 Bytes JMP 8BF48058 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    .text ntkrnlpa.exe!KeSetEvent + 191 842C08F4 4 Bytes [E4, 2F, DA, 90]
    .text ntkrnlpa.exe!KeSetEvent + 1D9 842C093C 4 Bytes [96, 39, DA, 90] {XCHG ESI, EAX; CMP EDX, EBX; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 221 842C0984 4 Bytes [64, 38, 00, 91] {CMP FS:[EAX], AL; XCHG ECX, EAX}
    .text ntkrnlpa.exe!KeSetEvent + 2D1 842C0A34 8 Bytes [F6, 3A, DA, 90, 6C, 73, DA, ...] {IDIV BYTE [EDX]; FICOM DWORD [EAX-0x6f258c94]}
    .text ntkrnlpa.exe!KeSetEvent + 2E1 842C0A44 4 Bytes [9E, 73, DA, 90] {SAHF ; JAE 0xffffffffffffffdd; NOP }
    .text ...
    PAGE ntkrnlpa.exe!NtMapViewOfSection 844244FA 7 Bytes JMP 8BF4806C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 844247BD 5 Bytes JMP 8BF48082 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\services.exe[684] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 00680FEF
    .text C:\Windows\system32\services.exe[684] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 00680FCD
    .text C:\Windows\system32\services.exe[684] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 00680FDE
    .text C:\Windows\system32\services.exe[684] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 00670F72
    .text C:\Windows\system32\services.exe[684] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 006700B8
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 006700F8
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 00670F61
    .text C:\Windows\system32\services.exe[684] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 00670FA8
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 00670040
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 00670051
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00670F8D
    .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 00670FB9
    .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 0067006C
    .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 00670FCA
    .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00670FE5
    .text C:\Windows\system32\services.exe[684] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 00670093
    .text C:\Windows\system32\services.exe[684] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 00670113
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00670025
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00670000
    .text C:\Windows\system32\services.exe[684] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 006700DD
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 00690036
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 0069001B
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00690000
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 00690F94
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00690F6F
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 00690FD4
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00690FE5
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00690FAF
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 006A0FAD
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!system 76D7804B 5 Bytes JMP 006A0038
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 006A0FD2
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_open 76D7D106 5 Bytes JMP 006A0000
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 006A001D
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 006A0FE3
    .text C:\Windows\system32\services.exe[684] WS2_32.dll!socket 776536D1 5 Bytes JMP 006B0FE5
    .text C:\Windows\system32\lsass.exe[696] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 001F0000
    .text C:\Windows\system32\lsass.exe[696] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 001F0FCA
    .text C:\Windows\system32\lsass.exe[696] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 001F0FDB
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 001E00AB
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 001E0F6F
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 001E0F36
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 001E00D7
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 001E0F94
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 001E001B
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 001E002C
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 001E009A
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 001E0FA5
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 001E0FC0
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 001E0062
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 001E0047
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 001E0089
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 001E00F2
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 001E000A
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 001E0FEF
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 001E00C6
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 00200062
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 00200FCA
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00200FEF
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 00200051
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00200FA5
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 0020001B
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00200000
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00200036
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 00210F90
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!system 76D7804B 5 Bytes JMP 0021001B
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 00210FBC
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_open 76D7D106 5 Bytes JMP 00210FEF
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 00210FAB
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 00210000
    .text C:\Windows\system32\lsass.exe[696] WS2_32.dll!socket 776536D1 5 Bytes JMP 00980FEF
    .text C:\Windows\system32\svchost.exe[728] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 00690FEF
    .text C:\Windows\system32\svchost.exe[728] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 00690025
    .text C:\Windows\system32\svchost.exe[728] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 00690014
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 006800A6
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 00680095
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 00680F0F
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 00680F20
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 00680073
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 00680025
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 00680FCA
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00680F6A
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 00680062
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 00680051
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 00680FA5
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00680036
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 00680084
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 006800C1
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00680FE5
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00680000
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 00680F45
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 00670036
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!system 76D7804B 5 Bytes JMP 0067001B
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 00670FC6
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_open 76D7D106 5 Bytes JMP 00670000
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 00670FB5
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 00670FD7
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 0013004E
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 0013003D
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00130000
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 00130FB6
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00130F87
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 0013002C
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00130011
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00130FD1
    .text C:\Windows\system32\svchost.exe[728] WS2_32.dll!socket 776536D1 5 Bytes JMP 009C0FEF
    .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 001D0000
    .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 001D0FDB
    .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 001D001B
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 00180F54
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 001800A4
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 00180F39
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 001800D0
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 00180F9E
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 00180FDB
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 0018002C
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00180F79
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 00180FAF
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 00180051
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 0018006C
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00180FCA
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 00180093
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 00180F1E
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00180011
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00180000
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 001800BF
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 00860FAD
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!system 76D7804B 5 Bytes JMP 00860FC8
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 00860027
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_open 76D7D106 5 Bytes JMP 0086000C
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 00860038
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 00860FEF
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 001E0F9E
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 001E0025
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 001E0FEF
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 001E0040
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 001E0F8D
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 001E0FCA
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 001E000A
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 001E0FB9
    .text C:\Windows\system32\svchost.exe[912] WS2_32.dll!socket 776536D1 5 Bytes JMP 0087000A
    .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 00770000
    .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 0077001B
    .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 00770FEF
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 00760F21
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 00760F32
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 00760EEE
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 00760EFF
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 0076004C
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 00760FCD
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 0076001E
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00760F4D
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 0076003B
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 00760F97
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 00760F72
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00760FA8
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 0076005D
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 007600A0
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00760FDE
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00760FEF
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 00760F10
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 007C004B
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!system 76D7804B 5 Bytes JMP 007C0FC0
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 007C003A
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_open 76D7D106 5 Bytes JMP 007C000C
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 007C0FE5
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wopen
    *****
    [1/3]
     
  5. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    GMER 1.0.15.15477 - http://www.gmer.net
    Rootkit scan 2010-10-31 22:47:58
    Windows 6.0.6002 Service Pack 2
    Running: rtkfy5oh.exe; Driver: C:\Users\Nicky\AppData\Local\Temp\kglcqpoc.sys


    ---- System - GMER 1.0.15 ----

    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwAssignProcessToJobObject [0x90DA2FE4]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwCreateFile [0x90DA3996]
    SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys ZwCreateThread [0x91003864]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteFile [0x90DA3AF6]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteKey [0x90DA736C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwDeleteValueKey [0x90DA739E]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwLoadKey [0x90DA7500]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenFile [0x90DA3A5A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenProcess [0x90DA3128]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwOpenThread [0x90DA331A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwProtectVirtualMemory [0x90DA344C]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwQueryValueKey [0x90DA7476]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRenameKey [0x90DA73E0]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwReplaceKey [0x90DA7412]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwRestoreKey [0x90DA7444]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetContextThread [0x90DA2F8A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSetInformationFile [0x90DA3B56]
    SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys ZwSetValueKey [0x9100382E]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwSuspendThread [0x90DA2F26]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateProcess [0x90DA2E7A]
    SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys ZwTerminateThread [0x90DA2EC2]
    SSDT \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys ZwCreateThreadEx [0x910038DC]

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8BF48068]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8BF4807E]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8BF48054]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntkrnlpa.exe!ZwYieldExecution 8423F9D2 5 Bytes JMP 8BF48058 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    .text ntkrnlpa.exe!KeSetEvent + 191 842C08F4 4 Bytes [E4, 2F, DA, 90]
    .text ntkrnlpa.exe!KeSetEvent + 1D9 842C093C 4 Bytes [96, 39, DA, 90] {XCHG ESI, EAX; CMP EDX, EBX; NOP }
    .text ntkrnlpa.exe!KeSetEvent + 221 842C0984 4 Bytes [64, 38, 00, 91] {CMP FS:[EAX], AL; XCHG ECX, EAX}
    .text ntkrnlpa.exe!KeSetEvent + 2D1 842C0A34 8 Bytes [F6, 3A, DA, 90, 6C, 73, DA, ...] {IDIV BYTE [EDX]; FICOM DWORD [EAX-0x6f258c94]}
    .text ntkrnlpa.exe!KeSetEvent + 2E1 842C0A44 4 Bytes [9E, 73, DA, 90] {SAHF ; JAE 0xffffffffffffffdd; NOP }
    .text ...
    PAGE ntkrnlpa.exe!NtMapViewOfSection 844244FA 7 Bytes JMP 8BF4806C \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 844247BD 5 Bytes JMP 8BF48082 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    ---- User code sections - GMER 1.0.15 ----

    .text C:\Windows\system32\services.exe[684] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 00680FEF
    .text C:\Windows\system32\services.exe[684] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 00680FCD
    .text C:\Windows\system32\services.exe[684] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 00680FDE
    .text C:\Windows\system32\services.exe[684] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 00670F72
    .text C:\Windows\system32\services.exe[684] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 006700B8
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 006700F8
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 00670F61
    .text C:\Windows\system32\services.exe[684] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 00670FA8
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 00670040
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 00670051
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00670F8D
    .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 00670FB9
    .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 0067006C
    .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 00670FCA
    .text C:\Windows\system32\services.exe[684] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00670FE5
    .text C:\Windows\system32\services.exe[684] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 00670093
    .text C:\Windows\system32\services.exe[684] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 00670113
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00670025
    .text C:\Windows\system32\services.exe[684] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00670000
    .text C:\Windows\system32\services.exe[684] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 006700DD
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 00690036
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 0069001B
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00690000
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 00690F94
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00690F6F
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 00690FD4
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00690FE5
    .text C:\Windows\system32\services.exe[684] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00690FAF
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 006A0FAD
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!system 76D7804B 5 Bytes JMP 006A0038
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 006A0FD2
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_open 76D7D106 5 Bytes JMP 006A0000
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 006A001D
    .text C:\Windows\system32\services.exe[684] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 006A0FE3
    .text C:\Windows\system32\services.exe[684] WS2_32.dll!socket 776536D1 5 Bytes JMP 006B0FE5
    .text C:\Windows\system32\lsass.exe[696] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 001F0000
    .text C:\Windows\system32\lsass.exe[696] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 001F0FCA
    .text C:\Windows\system32\lsass.exe[696] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 001F0FDB
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 001E00AB
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 001E0F6F
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 001E0F36
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 001E00D7
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 001E0F94
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 001E001B
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 001E002C
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 001E009A
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 001E0FA5
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 001E0FC0
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 001E0062
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 001E0047
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 001E0089
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 001E00F2
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 001E000A
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 001E0FEF
    .text C:\Windows\system32\lsass.exe[696] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 001E00C6
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 00200062
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 00200FCA
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00200FEF
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 00200051
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00200FA5
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 0020001B
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00200000
    .text C:\Windows\system32\lsass.exe[696] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00200036
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 00210F90
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!system 76D7804B 5 Bytes JMP 0021001B
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 00210FBC
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_open 76D7D106 5 Bytes JMP 00210FEF
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 00210FAB
    .text C:\Windows\system32\lsass.exe[696] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 00210000
    .text C:\Windows\system32\lsass.exe[696] WS2_32.dll!socket 776536D1 5 Bytes JMP 00980FEF
    .text C:\Windows\system32\svchost.exe[728] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 00690FEF
    .text C:\Windows\system32\svchost.exe[728] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 00690025
    .text C:\Windows\system32\svchost.exe[728] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 00690014
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 006800A6
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 00680095
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 00680F0F
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 00680F20
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 00680073
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 00680025
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 00680FCA
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00680F6A
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 00680062
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 00680051
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 00680FA5
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00680036
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 00680084
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 006800C1
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00680FE5
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00680000
    .text C:\Windows\system32\svchost.exe[728] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 00680F45
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 00670036
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!system 76D7804B 5 Bytes JMP 0067001B
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 00670FC6
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_open 76D7D106 5 Bytes JMP 00670000
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 00670FB5
    .text C:\Windows\system32\svchost.exe[728] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 00670FD7
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 0013004E
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 0013003D
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00130000
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 00130FB6
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00130F87
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 0013002C
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00130011
    .text C:\Windows\system32\svchost.exe[728] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00130FD1
    .text C:\Windows\system32\svchost.exe[728] WS2_32.dll!socket 776536D1 5 Bytes JMP 009C0FEF
    .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 001D0000
    .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 001D0FDB
    .text C:\Windows\system32\svchost.exe[912] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 001D001B
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 00180F54
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 001800A4
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 00180F39
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 001800D0
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 00180F9E
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 00180FDB
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 0018002C
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00180F79
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 00180FAF
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 00180051
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 0018006C
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00180FCA
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 00180093
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 00180F1E
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00180011
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00180000
    .text C:\Windows\system32\svchost.exe[912] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 001800BF
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 00860FAD
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!system 76D7804B 5 Bytes JMP 00860FC8
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 00860027
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_open 76D7D106 5 Bytes JMP 0086000C
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 00860038
    .text C:\Windows\system32\svchost.exe[912] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 00860FEF
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 001E0F9E
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 001E0025
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 001E0FEF
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 001E0040
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 001E0F8D
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 001E0FCA
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 001E000A
    .text C:\Windows\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 001E0FB9
    .text C:\Windows\system32\svchost.exe[912] WS2_32.dll!socket 776536D1 5 Bytes JMP 0087000A
    .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 00770000
    .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 0077001B
    .text C:\Windows\system32\svchost.exe[976] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 00770FEF
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 00760F21
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 00760F32
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 00760EEE
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 00760EFF
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 0076004C
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 00760FCD
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 0076001E
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00760F4D
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 0076003B
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 00760F97
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 00760F72
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00760FA8
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 0076005D
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 007600A0
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00760FDE
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00760FEF
    .text C:\Windows\system32\svchost.exe[976] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 00760F10
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 007C004B
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!system 76D7804B 5 Bytes JMP 007C0FC0
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 007C003A
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_open 76D7D106 5 Bytes JMP 007C000C
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 007C0FE5
    .text C:\Windows\system32\svchost.exe[976] msvcrt.dll!_wopen

    [2/3]
     
  6. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    .text C:\Windows\System32\svchost.exe[1636] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00080011
    .text C:\Windows\System32\svchost.exe[1636] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00080000
    .text C:\Windows\System32\svchost.exe[1636] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 000800BF
    .text C:\Windows\System32\svchost.exe[1636] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 00070064
    .text C:\Windows\System32\svchost.exe[1636] msvcrt.dll!system 76D7804B 5 Bytes JMP 00070FD9
    .text C:\Windows\System32\svchost.exe[1636] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 0007002E
    .text C:\Windows\System32\svchost.exe[1636] msvcrt.dll!_open 76D7D106 5 Bytes JMP 00070000
    .text C:\Windows\System32\svchost.exe[1636] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 00070049
    .text C:\Windows\System32\svchost.exe[1636] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 0007001D
    .text C:\Windows\System32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 00060F9B
    .text C:\Windows\System32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 00060FCA
    .text C:\Windows\System32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00060FEF
    .text C:\Windows\System32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 00060047
    .text C:\Windows\System32\svchost.exe[1636] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00060058
    .text C:\Windows\System32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 00060011
    .text C:\Windows\System32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00060000
    .text C:\Windows\System32\svchost.exe[1636] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00060036
    .text C:\Windows\System32\svchost.exe[1636] WS2_32.dll!socket 776536D1 5 Bytes JMP 000D0FEF
    .text C:\Windows\system32\svchost.exe[1652] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 002B0000
    .text C:\Windows\system32\svchost.exe[1652] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 002B002C
    .text C:\Windows\system32\svchost.exe[1652] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 002B0011
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 002A00CE
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 002A0F88
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 002A0115
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 002A0104
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 002A0087
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 002A001B
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 002A0FCA
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 002A00B3
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 002A006C
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 002A0FB9
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 002A005B
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 002A0040
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 002A00A2
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 002A0126
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 002A0FE5
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 002A0000
    .text C:\Windows\system32\svchost.exe[1652] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 002A00E9
    .text C:\Windows\system32\svchost.exe[1652] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 00290049
    .text C:\Windows\system32\svchost.exe[1652] msvcrt.dll!system 76D7804B 5 Bytes JMP 00290FC8
    .text C:\Windows\system32\svchost.exe[1652] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 00290FE3
    .text C:\Windows\system32\svchost.exe[1652] msvcrt.dll!_open 76D7D106 5 Bytes JMP 00290000
    .text C:\Windows\system32\svchost.exe[1652] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 00290038
    .text C:\Windows\system32\svchost.exe[1652] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 0029001D
    .text C:\Windows\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 00270F83
    .text C:\Windows\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 0027001E
    .text C:\Windows\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00270FEF
    .text C:\Windows\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 0027002F
    .text C:\Windows\system32\svchost.exe[1652] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00270040
    .text C:\Windows\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 00270FB9
    .text C:\Windows\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00270FD4
    .text C:\Windows\system32\svchost.exe[1652] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00270FA8
    .text C:\Windows\system32\svchost.exe[1652] WS2_32.dll!socket 776536D1 5 Bytes JMP 00BE0000
    .text C:\Windows\system32\svchost.exe[1968] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 01E10FE5
    .text C:\Windows\system32\svchost.exe[1968] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 01E10FD4
    .text C:\Windows\system32\svchost.exe[1968] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 01E1000A
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 0193004D
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 01930F07
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 01930068
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 01930EDB
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 01930F44
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 01930FD4
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 01930FC3
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 01930F18
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 01930F6B
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 01930F97
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 01930F86
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 01930FB2
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 01930F29
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 01930083
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 01930FEF
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 01930000
    .text C:\Windows\system32\svchost.exe[1968] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 01930EEC
    .text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 017E0FB4
    .text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!system 76D7804B 5 Bytes JMP 017E0049
    .text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 017E001D
    .text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_open 76D7D106 5 Bytes JMP 017E0FE3
    .text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 017E002E
    .text C:\Windows\system32\svchost.exe[1968] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 017E0000
    .text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 016D0F94
    .text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 016D0036
    .text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 016D0FEF
    .text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 016D0FAF
    .text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 016D0F79
    .text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 016D001B
    .text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 016D000A
    .text C:\Windows\system32\svchost.exe[1968] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 016D0FD4
    .text C:\Windows\system32\svchost.exe[1968] WS2_32.dll!socket 776536D1 5 Bytes JMP 01E60000
    .text C:\Windows\system32\svchost.exe[1984] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 00230FE5
    .text C:\Windows\system32\svchost.exe[1984] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 00230FCA
    .text C:\Windows\system32\svchost.exe[1984] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 0023000A
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 00220F43
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 00220089
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 00220F21
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 002200AE
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 00220053
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 00220FC3
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 00220FB2
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00220F5E
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 00220042
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 00220F8D
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 00220025
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00220014
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 00220064
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 00220F06
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 00220FD4
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00220FE5
    .text C:\Windows\system32\svchost.exe[1984] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 00220F32
    .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 001F0036
    .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!system 76D7804B 5 Bytes JMP 001F0025
    .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 001F0FC6
    .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_open 76D7D106 5 Bytes JMP 001F0FEF
    .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 001F0FAB
    .text C:\Windows\system32\svchost.exe[1984] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 001F0000
    .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 00130065
    .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 0013002F
    .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00130FEF
    .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 00130054
    .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00130076
    .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 00130FC3
    .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00130FD4
    .text C:\Windows\system32\svchost.exe[1984] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00130014
    .text C:\Windows\system32\svchost.exe[1984] WS2_32.dll!socket 776536D1 5 Bytes JMP 00240FEF
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2388] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 6FA09AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[2388] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 6FA09A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Windows\Explorer.EXE[3236] ntdll.dll!NtCreateFile 774F43D4 5 Bytes JMP 00040FE5
    .text C:\Windows\Explorer.EXE[3236] ntdll.dll!NtCreateProcess 774F4494 5 Bytes JMP 00040FCA
    .text C:\Windows\Explorer.EXE[3236] ntdll.dll!NtProtectVirtualMemory 774F4D34 5 Bytes JMP 0004000A
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!GetStartupInfoW 77151929 5 Bytes JMP 00010082
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!GetStartupInfoA 771519C9 5 Bytes JMP 00010F3C
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!CreateProcessW 77151BF3 5 Bytes JMP 00010EF5
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!CreateProcessA 77151C28 5 Bytes JMP 00010F06
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!VirtualProtect 77151DC3 5 Bytes JMP 00010056
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!CreateNamedPipeA 77152EF5 5 Bytes JMP 0001001B
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!CreateNamedPipeW 77155C0C 5 Bytes JMP 00010FCA
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!CreatePipe 77178E6E 5 Bytes JMP 00010F57
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!LoadLibraryExW 77179109 5 Bytes JMP 00010F7C
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!LoadLibraryW 77179362 5 Bytes JMP 00010FA8
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!LoadLibraryExA 771794B4 5 Bytes JMP 00010F8D
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!LoadLibraryA 771794DC 5 Bytes JMP 00010FB9
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!VirtualProtectEx 7717DBDA 5 Bytes JMP 00010067
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!GetProcAddress 7719903B 5 Bytes JMP 0001009D
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!CreateFileW 7719AECB 5 Bytes JMP 0001000A
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!CreateFileA 7719CE5F 5 Bytes JMP 00010FEF
    .text C:\Windows\Explorer.EXE[3236] kernel32.dll!WinExec 771E5CF7 5 Bytes JMP 00010F17
    .text C:\Windows\Explorer.EXE[3236] ADVAPI32.dll!RegCreateKeyExA 76A039AB 5 Bytes JMP 00060FB9
    .text C:\Windows\Explorer.EXE[3236] ADVAPI32.dll!RegCreateKeyA 76A03BA9 5 Bytes JMP 00060FD4
    .text C:\Windows\Explorer.EXE[3236] ADVAPI32.dll!RegOpenKeyA 76A089C7 5 Bytes JMP 00060000
    .text C:\Windows\Explorer.EXE[3236] ADVAPI32.dll!RegCreateKeyW 76A1391E 5 Bytes JMP 00060051
    .text C:\Windows\Explorer.EXE[3236] ADVAPI32.dll!RegCreateKeyExW 76A141F1 5 Bytes JMP 00060F9E
    .text C:\Windows\Explorer.EXE[3236] ADVAPI32.dll!RegOpenKeyExA 76A17C42 5 Bytes JMP 0006001B
    .text C:\Windows\Explorer.EXE[3236] ADVAPI32.dll!RegOpenKeyW 76A1E2B5 5 Bytes JMP 00060FEF
    .text C:\Windows\Explorer.EXE[3236] ADVAPI32.dll!RegOpenKeyExW 76A27BA1 5 Bytes JMP 00060036
    .text C:\Windows\Explorer.EXE[3236] msvcrt.dll!_wsystem 76D77F2F 5 Bytes JMP 00070036
    .text C:\Windows\Explorer.EXE[3236] msvcrt.dll!system 76D7804B 5 Bytes JMP 00070FAB
    .text C:\Windows\Explorer.EXE[3236] msvcrt.dll!_creat 76D7BBE1 5 Bytes JMP 00070FC6
    .text C:\Windows\Explorer.EXE[3236] msvcrt.dll!_open 76D7D106 5 Bytes JMP 00070000
    .text C:\Windows\Explorer.EXE[3236] msvcrt.dll!_wcreat 76D7D326 5 Bytes JMP 0007001B
    .text C:\Windows\Explorer.EXE[3236] msvcrt.dll!_wopen 76D7D501 5 Bytes JMP 00070FE3
    .text C:\Windows\Explorer.EXE[3236] WS2_32.dll!socket 776536D1 5 Bytes JMP 02EB0000
    .text C:\Windows\Explorer.EXE[3236] WININET.dll!InternetOpenA 7708D690 5 Bytes JMP 02F00FEF
    .text C:\Windows\Explorer.EXE[3236] WININET.dll!InternetOpenW 7708DB09 5 Bytes JMP 02F00000
    .text C:\Windows\Explorer.EXE[3236] WININET.dll!InternetOpenUrlA 7708F3A4 5 Bytes JMP 02F0001B
    .text C:\Windows\Explorer.EXE[3236] WININET.dll!InternetOpenUrlW 770D6D5F 5 Bytes JMP 02F00FCA
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[4544] ntdll.dll!KiUserApcDispatcher 774F5D18 5 Bytes JMP 004397C0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[4544] WS2_32.dll!getaddrinfo 7765418A 5 Bytes JMP 71670022
    .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[4544] WS2_32.dll!gethostbyname 776662D4 5 Bytes JMP 716E0022

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\mfevtps.exe[1680] @ C:\Windows\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [010C7750] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
    IAT C:\Windows\system32\mfevtps.exe[1680] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [010C77B0] C:\Windows\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----

    [3/3]
    *****
     
  7. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    Step 5: DDS

    Completed - logs as follows:

    [DDS]

    DDS (Ver_10-10-31.01) - NTFSx86
    Run by Nicky at 23:01:48.64 on 31/10/2010
    Internet Explorer: 8.0.6001.18975
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3034.1893 [GMT 0:00]

    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_85b55258\STacSV.exe
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\WLTRYSVC.EXE
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_85b55258\aestsrv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Kontiki\KService.exe
    c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
    C:\Windows\system32\mfevtps.exe
    C:\Windows\system32\rundll32.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\taskeng.exe
    C:\Users\Nicky\AppData\Roaming\bbxnz.exe
    C:\Users\Nicky\AppData\Roaming\xxkmc.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Dell\DellDock\DellDock.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Windows\System32\igfxtray.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\FinePixViewer\QuickDCF2.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Users\Nicky\Downloads\dds.scr
    C:\Program Files\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.orange.co.uk
    uDefault_Page_URL = hxxp://www.orange.co.uk
    uWindow Title = Microsoft Internet Explorer provided by Orange UK
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101028211503.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    TB: {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - No File
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [kdx] c:\program files\kontiki\KHost.exe -all
    uRun: [Mobile Partner] c:\program files\3mobilewifi\3MobileWiFi
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [O2Start] c:\program files\o2cm-ce\o2 connection manager\tscui.exe /s
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    StartupFolder: c:\users\nicky\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
    StartupFolder: c:\users\nicky\appdata\roaming\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
    StartupFolder: c:\users\nicky\appdata\roaming\micros~1\windows\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: orange search - file://c:\program files\orange4\cache\SelectedContextSearch.htm
    IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~1.0_0\bin\ssv.dll
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www3.snapfish.co.uk/SnapfishUKActivia.cab
    DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www3.snapfish.co.uk/SnapfishActivia3.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-28 386712]
    R0 RapportKELL;RapportKELL;c:\windows\system32\drivers\RapportKELL.sys [2010-10-3 59240]
    R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-10-28 64304]
    R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-28 164808]
    R1 RapportCerberus_19917;RapportCerberus_19917;c:\programdata\trusteer\rapport\store\exts\rapportcerberus\19917\RapportCerberus_19917.sys [2010-10-3 34792]
    R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2010-10-3 169320]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_85b55258\AEstSrv.exe [2008-12-20 73728]
    R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-9-24 155648]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-2-21 88176]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-28 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-28 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-10-28 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-10-28 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-10-28 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-10-28 141792]
    R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2010-10-3 767208]
    R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-28 55840]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-10-28 152992]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-10-28 52104]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-28 312904]
    S2 gupdate1ca1d1e8db7876d;Google Update Service (gupdate1ca1d1e8db7876d);c:\program files\google\update\GoogleUpdate.exe [2009-8-14 133104]
    S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys [2010-10-18 112128]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-12-20 30192]
    S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [2010-10-18 101248]
    S3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2010-4-12 9216]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-28 84264]
    S3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\drivers\ZTEusbnet.sys [2010-4-12 114688]

    =============== Created Last 30 ================

    2010-10-31 21:57:22 -------- d-----w- c:\users\nicky\appdata\roaming\Malwarebytes
    2010-10-31 21:57:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-31 21:57:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-31 21:57:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-31 21:57:01 -------- d-----w- c:\progra~2\Malwarebytes
    2010-10-31 16:57:40 65536 ----a-w- c:\users\nicky\appdata\roaming\xxkmc.exe
    2010-10-31 16:56:49 175104 ----a-w- c:\users\nicky\appdata\roaming\bbxnz.exe
    2010-10-28 20:31:03 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-28 20:31:02 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-10-28 20:31:02 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-28 20:30:49 6146896 ----a-w- c:\progra~2\microsoft\windows defender\definition updates\{ae2894a1-c6fd-4ceb-aaf5-f68f5e1b1d1f}\mpengine.dll
    2010-10-28 20:15:03 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2010-10-28 20:14:53 141792 ----a-w- c:\windows\system32\mfevtps.exe
    2010-10-28 20:14:45 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-10-28 20:14:45 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2010-10-28 20:14:45 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2010-10-28 20:14:45 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2010-10-28 20:14:45 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-10-28 20:14:45 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2010-10-28 20:14:45 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2010-10-28 20:14:45 164808 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2010-10-28 20:14:45 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-10-18 07:16:25 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
    2010-10-18 07:16:25 112128 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
    2010-10-18 07:16:25 102912 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
    2010-10-18 07:16:25 101248 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
    2010-10-18 07:16:08 -------- d-----w- c:\program files\3MobileWiFi
    2010-10-17 07:32:19 274944 ----a-w- c:\windows\system32\schannel.dll
    2010-10-17 07:32:07 168960 ----a-w- c:\program files\windows media player\wmplayer.exe
    2010-10-17 07:32:06 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-10-17 07:31:15 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-10-17 07:31:14 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-10-17 07:31:14 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-10-17 07:31:14 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-10-17 07:31:13 17920 ----a-w- c:\windows\system32\netevent.dll
    2010-10-03 22:43:44 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys

    ==================== Find3M ====================

    2010-10-19 10:41:44 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-09-08 06:01:28 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-09-08 05:57:18 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-09-08 05:57:05 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-09-08 05:56:53 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-09-08 05:56:53 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-09-08 05:04:36 385024 ----a-w- c:\windows\system32\html.iec
    2010-09-08 04:26:46 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-09-08 04:25:15 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-08-31 15:46:37 954752 ----a-w- c:\windows\system32\mfc40.dll
    2010-08-31 15:46:37 954288 ----a-w- c:\windows\system32\mfc40u.dll
    2010-08-31 15:44:31 531968 ----a-w- c:\windows\system32\comctl32.dll
    2010-08-31 13:27:38 2038272 ----a-w- c:\windows\system32\win32k.sys
    2010-08-26 16:37:45 157184 ----a-w- c:\windows\system32\t2embed.dll
    2010-08-26 16:33:06 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33:04 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-26 16:33:04 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33:04 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-20 16:05:07 867328 ----a-w- c:\windows\system32\wmpmde.dll
    2010-08-17 14:11:37 128000 ----a-w- c:\windows\system32\spoolsv.exe

    ============= FINISH: 23:03:12.23 ===============

     
  8. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    Step 6: Log Handling Instructions

    Complete - see logs in previous replies
    *****

    My girlfriend said she managed to get IE to work again earlier but I've tried myself only to be met by the same problems as before.

    Any help and assistance would be greatly appreciated.

    Cheers, Pete
     
  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Thank you :)

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ===================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  10. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    Step 7: MBRCheck

    Complete - log as follows:

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows Vista Home Premium Edition
    Windows Information: Service Pack 2 (build 6002), 32-bit
    Base Board Manufacturer: Dell Inc.
    BIOS Manufacturer: Dell Inc.
    System Manufacturer: Dell Inc.
    System Product Name: Inspiron 1545
    Logical Drives Mask: 0x00000034

    Kernel Drivers (total 141):
    0x84252000 \SystemRoot\system32\ntkrnlpa.exe
    0x8421F000 \SystemRoot\system32\hal.dll
    0x80405000 \SystemRoot\system32\kdcom.dll
    0x8040C000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
    0x8047C000 \SystemRoot\system32\PSHED.dll
    0x8048D000 \SystemRoot\system32\BOOTVID.dll
    0x80495000 \SystemRoot\system32\CLFS.SYS
    0x804D6000 \SystemRoot\system32\CI.dll
    0x80600000 \SystemRoot\system32\drivers\Wdf01000.sys
    0x8067C000 \SystemRoot\system32\drivers\WDFLDR.SYS
    0x80689000 \SystemRoot\system32\drivers\acpi.sys
    0x806CF000 \SystemRoot\system32\drivers\WMILIB.SYS
    0x806D8000 \SystemRoot\system32\drivers\msisadrv.sys
    0x806E0000 \SystemRoot\system32\drivers\pci.sys
    0x80707000 \SystemRoot\System32\drivers\partmgr.sys
    0x80716000 \SystemRoot\system32\DRIVERS\compbatt.sys
    0x80719000 \SystemRoot\system32\DRIVERS\BATTC.SYS
    0x80723000 \SystemRoot\system32\drivers\volmgr.sys
    0x80732000 \SystemRoot\System32\drivers\volmgrx.sys
    0x8077C000 \SystemRoot\System32\drivers\mountmgr.sys
    0x8BE08000 \SystemRoot\system32\drivers\iastor.sys
    0x8BED8000 \SystemRoot\system32\drivers\fltmgr.sys
    0x8BF0A000 \SystemRoot\system32\drivers\fileinfo.sys
    0x8BF1A000 \SystemRoot\system32\drivers\mfehidk.sys
    0x8BF77000 \SystemRoot\System32\Drivers\PxHelp20.sys
    0x8BF80000 \SystemRoot\System32\Drivers\ksecdd.sys
    0x8C002000 \SystemRoot\system32\drivers\ndis.sys
    0x8C10D000 \SystemRoot\system32\drivers\msrpc.sys
    0x8C138000 \SystemRoot\system32\drivers\NETIO.SYS
    0x8C206000 \SystemRoot\System32\Drivers\Ntfs.sys
    0x8C316000 \SystemRoot\system32\drivers\volsnap.sys
    0x8C34F000 \SystemRoot\System32\Drivers\spldr.sys
    0x8C357000 \SystemRoot\System32\Drivers\RapportKELL.sys
    0x8C365000 \SystemRoot\System32\Drivers\USBD.SYS
    0x8C367000 \SystemRoot\System32\Drivers\mup.sys
    0x8C376000 \SystemRoot\System32\drivers\ecache.sys
    0x8C39D000 \SystemRoot\system32\drivers\disk.sys
    0x8C3AE000 \SystemRoot\system32\drivers\CLASSPNP.SYS
    0x8C3CF000 \SystemRoot\system32\drivers\crcdisk.sys
    0x8FCD6000 \SystemRoot\system32\DRIVERS\tunnel.sys
    0x8FCE1000 \SystemRoot\system32\DRIVERS\tunmp.sys
    0x90008000 \SystemRoot\system32\DRIVERS\igdkmd32.sys
    0x906E9000 \SystemRoot\System32\drivers\dxgkrnl.sys
    0x9078A000 \SystemRoot\System32\drivers\watchdog.sys
    0x90796000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0x907A1000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0x907DF000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0x8FCEA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0x90805000 \SystemRoot\system32\DRIVERS\bcmwl6.sys
    0x9092F000 \SystemRoot\system32\DRIVERS\yk60x86.sys
    0x9097C000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0x9098F000 \SystemRoot\system32\DRIVERS\Apfiltr.sys
    0x909BC000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0x909C7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0x909D2000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0x909EA000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0x909F0000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0x909F4000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0x907EE000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0x8FD77000 \SystemRoot\system32\DRIVERS\msiscsi.sys
    0x8FDA6000 \SystemRoot\system32\DRIVERS\storport.sys
    0x8FDE7000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0x8C3E5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0x8FDF2000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0x8C173000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0x8C196000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0x8C1A5000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0x8C1B9000 \SystemRoot\system32\DRIVERS\rassstp.sys
    0x8C1CE000 \SystemRoot\system32\DRIVERS\termdd.sys
    0x909FD000 \SystemRoot\system32\DRIVERS\swenum.sys
    0x8078C000 \SystemRoot\system32\DRIVERS\ks.sys
    0x8C1DE000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0x8C1E8000 \SystemRoot\system32\DRIVERS\umbus.sys
    0x807B6000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0x807EB000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x90E01000 \SystemRoot\system32\DRIVERS\stwrt.sys
    0x90E63000 \SystemRoot\system32\DRIVERS\portcls.sys
    0x90E90000 \SystemRoot\system32\DRIVERS\drmk.sys
    0x90EB5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0x90EBE000 \SystemRoot\System32\Drivers\Null.SYS
    0x90EC5000 \SystemRoot\System32\Drivers\Beep.SYS
    0x90ECC000 \SystemRoot\System32\drivers\vga.sys
    0x90ED8000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
    0x90EF9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0x90F01000 \SystemRoot\system32\drivers\rdpencdd.sys
    0x90F09000 \SystemRoot\System32\Drivers\Msfs.SYS
    0x90F14000 \SystemRoot\System32\Drivers\Npfs.SYS
    0x90F22000 \SystemRoot\System32\DRIVERS\rasacd.sys
    0x9100C000 \SystemRoot\System32\drivers\tcpip.sys
    0x910F6000 \SystemRoot\System32\drivers\fwpkclnt.sys
    0x91111000 \SystemRoot\system32\drivers\mfewfpk.sys
    0x91138000 \SystemRoot\system32\DRIVERS\tdx.sys
    0x9114E000 \SystemRoot\system32\DRIVERS\smb.sys
    0x91162000 \SystemRoot\System32\DRIVERS\netbt.sys
    0x91194000 \SystemRoot\system32\drivers\afd.sys
    0x911DC000 \SystemRoot\system32\DRIVERS\pacer.sys
    0x911F2000 \SystemRoot\system32\DRIVERS\mfenlfk.sys
    0x90F2B000 \SystemRoot\system32\drivers\RTSTOR.SYS
    0x90F3F000 \SystemRoot\system32\DRIVERS\netbios.sys
    0x90F4D000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x90F60000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x90F9C000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
    0x91000000 \??\C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys
    0x90FC5000 \SystemRoot\system32\drivers\nsiproxy.sys
    0x90FCF000 \SystemRoot\System32\Drivers\dfsc.sys
    0x805B6000 \SystemRoot\system32\drivers\mfeavfk.sys
    0x91805000 \SystemRoot\system32\drivers\mfefirek.sys
    0x91850000 \SystemRoot\System32\Drivers\crashdmp.sys
    0x9185D000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0x9ACD0000 \SystemRoot\System32\win32k.sys
    0x9192D000 \SystemRoot\System32\drivers\Dxapi.sys
    0x91937000 \SystemRoot\system32\DRIVERS\monitor.sys
    0x9AEF0000 \SystemRoot\System32\TSDDD.dll
    0x9AF10000 \SystemRoot\System32\cdd.dll
    0x91946000 \SystemRoot\system32\drivers\luafv.sys
    0x8FC00000 \SystemRoot\system32\drivers\spsys.sys
    0x9196E000 \SystemRoot\system32\DRIVERS\alcacr.sys
    0x919E5000 \SystemRoot\system32\DRIVERS\lltdio.sys
    0x9196F000 \SystemRoot\system32\DRIVERS\nwifi.sys
    0x91999000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x919A3000 \SystemRoot\system32\DRIVERS\rspndr.sys
    0x83608000 \SystemRoot\system32\drivers\HTTP.sys
    0x83675000 \SystemRoot\System32\DRIVERS\srvnet.sys
    0x83692000 \SystemRoot\system32\DRIVERS\bowser.sys
    0x836AB000 \SystemRoot\System32\drivers\mpsdrv.sys
    0x836C0000 \SystemRoot\system32\drivers\mrxdav.sys
    0x836E1000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0x83700000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
    0x83739000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
    0x83751000 \SystemRoot\System32\DRIVERS\srv2.sys
    0x83779000 \SystemRoot\System32\DRIVERS\srv.sys
    0x837C7000 \SystemRoot\System32\Drivers\fastfat.SYS
    0xAD600000 \SystemRoot\system32\drivers\peauth.sys
    0xAD6DE000 \SystemRoot\System32\Drivers\secdrv.SYS
    0xAD6E8000 \SystemRoot\System32\drivers\tcpipreg.sys
    0xAD718000 \SystemRoot\system32\drivers\cfwids.sys
    0xAD724000 \SystemRoot\system32\drivers\mfeapfk.sys
    0xAD73A000 \SystemRoot\system32\drivers\mfebopk.sys
    0xAD745000 \SystemRoot\system32\drivers\BCM42RLY.sys
    0xAD74D000 \SystemRoot\system32\DRIVERS\cdfs.sys
    0x772B0000 \Windows\System32\ntdll.dll

    Processes (total 95):
    0 System Idle Process
    4 System
    524 C:\Windows\System32\smss.exe
    600 csrss.exe
    644 C:\Windows\System32\wininit.exe
    656 csrss.exe
    692 C:\Windows\System32\services.exe
    704 C:\Windows\System32\lsass.exe
    712 C:\Windows\System32\lsm.exe
    800 C:\Windows\System32\winlogon.exe
    916 C:\Windows\System32\svchost.exe
    980 C:\Windows\System32\svchost.exe
    1132 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    1212 C:\Windows\System32\svchost.exe
    1244 C:\Windows\System32\svchost.exe
    1260 C:\Windows\System32\svchost.exe
    1296 C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_85b55258\stacsv.exe
    1372 C:\Windows\System32\audiodg.exe
    1440 C:\Windows\System32\svchost.exe
    1460 C:\Windows\System32\SLsvc.exe
    1500 C:\Windows\System32\svchost.exe
    1564 C:\Program Files\Dell\DellDock\DockLogin.exe
    1624 C:\Windows\System32\svchost.exe
    1788 C:\Windows\System32\WLTRYSVC.EXE
    1804 C:\Windows\System32\BCMWLTRY.EXE
    1888 C:\Windows\System32\spoolsv.exe
    1920 C:\Windows\System32\svchost.exe
    392 C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_85b55258\AEstSrv.exe
    556 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    580 C:\Program Files\Bonjour\mDNSResponder.exe
    684 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    908 C:\Program Files\Kontiki\KService.exe
    1492 C:\PROGRA~1\McAfee\SITEAD~1\McSACore.exe
    1648 C:\Windows\System32\mfevtps.exe
    568 C:\Windows\System32\rundll32.exe
    1228 C:\Windows\System32\svchost.exe
    2052 C:\Windows\System32\svchost.exe
    2092 C:\Windows\System32\svchost.exe
    2164 C:\Windows\System32\SearchIndexer.exe
    2212 C:\Windows\System32\rundll32.exe
    2320 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    2356 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    2436 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    3092 C:\Windows\System32\dwm.exe
    3108 C:\Windows\System32\taskeng.exe
    3120 C:\Program Files\Dell\DellDock\DellDock.exe
    3184 C:\Windows\explorer.exe
    3336 C:\Program Files\DellTPad\Apoint.exe
    3344 C:\Windows\System32\igfxtray.exe
    3448 C:\Windows\System32\hkcmd.exe
    3524 C:\Windows\System32\taskeng.exe
    3548 C:\Windows\System32\WLTRAY.EXE
    3564 C:\Program Files\Dell\QuickSet\quickset.exe
    3576 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    3660 C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    3684 C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    3692 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    3700 C:\Program Files\Kontiki\KHost.exe
    3708 C:\Program Files\IDT\WDM\sttray.exe
    3732 C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe
    3748 C:\Program Files\iTunes\iTunesHelper.exe
    3756 C:\Program Files\McAfee.com\Agent\mcagent.exe
    3764 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    3772 C:\Windows\ehome\ehtray.exe
    3780 C:\Program Files\Windows Media Player\wmpnscfg.exe
    3796 C:\Program Files\FinePixViewer\QuickDCF2.exe
    3812 C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    3820 C:\Program Files\Microsoft Office\Office\OSA.EXE
    3856 C:\Users\Nicky\AppData\Roaming\bbxnz.exe
    3916 C:\Users\Nicky\AppData\Roaming\xxkmc.exe
    784 C:\Windows\System32\igfxsrvc.exe
    2848 C:\Windows\ehome\ehmsas.exe
    2000 WmiPrvSE.exe
    2432 C:\Program Files\Windows Media Player\wmpnetwk.exe
    3744 C:\Program Files\iPod\bin\iPodService.exe
    4404 C:\Program Files\DellTPad\ApMsgFwd.exe
    4520 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    4536 C:\Program Files\DellTPad\hidfind.exe
    4556 C:\Program Files\DellTPad\ApntEx.exe
    5084 WmiPrvSE.exe
    892 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    5852 C:\Windows\servicing\TrustedInstaller.exe
    5560 WmiPrvSE.exe
    3632 C:\Program Files\Google\Chrome\Application\chrome.exe
    5552 C:\Program Files\Google\Chrome\Application\chrome.exe
    3328 C:\Windows\System32\wscript.exe
    1076 C:\Program Files\Google\Chrome\Application\chrome.exe
    5664 C:\Program Files\Google\Chrome\Application\chrome.exe
    4948 C:\Program Files\Google\Chrome\Application\chrome.exe
    4372 C:\Program Files\Dell Support Center\HWDiag\bin\PcdrEngine.exe
    2908 C:\Windows\System32\SearchProtocolHost.exe
    2652 C:\Windows\System32\SearchFilterHost.exe
    5828 dllhost.exe
    2916 dllhost.exe
    976 C:\Users\Nicky\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000002`73800000 (NTFS)
    \\.\E: --> \\.\PhysicalDrive0 at offset 0x00000000`02800000 (NTFS)

    PhysicalDrive0 Model Number: HitachiHTS543225L9A300, Rev: FBEOC40C

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Dell Inspiron MBR code detected
    SHA1: AE3E0A945D44C8EA304A19A8F50F69065C34344B


    Done!
     
  11. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Go on.....
     
  12. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    Step 8: ComboFix

    Completed, reoccurring error message "Windows cannot find 'NIRCMD'. Make sure you typed the name correctly, and then try again.", log as follows:


    ComboFix 10-11-02.06 - Nicky 03/11/2010 21:10:24.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.3034.1837 [GMT 0:00]
    Running from: c:\users\Nicky\Downloads\ComboFix.exe
    SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    * Created a new restore point
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Nicky\AppData\Roaming\bbxnz.exe
    c:\users\Nicky\AppData\Roaming\xxkmc.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-10-03 to 2010-11-03 )))))))))))))))))))))))))))))))
    .

    2010-11-03 21:22 . 2010-11-03 21:22 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-11-03 21:06 . 2010-11-03 21:07 -------- d-----w- C:\32788R22FWJFW
    2010-10-31 21:57 . 2010-10-31 21:57 -------- d-----w- c:\users\Nicky\AppData\Roaming\Malwarebytes
    2010-10-31 21:57 . 2010-04-29 15:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-31 21:57 . 2010-10-31 21:57 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-10-31 21:57 . 2010-10-31 21:57 -------- d-----w- c:\programdata\Malwarebytes
    2010-10-31 21:57 . 2010-04-29 15:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-28 20:31 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
    2010-10-28 20:31 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
    2010-10-28 20:31 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
    2010-10-28 20:30 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{AE2894A1-C6FD-4CEB-AAF5-F68F5E1B1D1F}\mpengine.dll
    2010-10-28 20:15 . 2010-08-24 13:57 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2010-10-28 20:14 . 2010-08-24 13:57 141792 ----a-w- c:\windows\system32\mfevtps.exe
    2010-10-28 20:14 . 2010-08-24 13:57 95600 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2010-10-28 20:14 . 2010-08-24 13:57 84264 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2010-10-28 20:14 . 2010-08-24 13:57 64304 ----a-w- c:\windows\system32\drivers\mfenlfk.sys
    2010-10-28 20:14 . 2010-08-24 13:57 55840 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2010-10-28 20:14 . 2010-08-24 13:57 52104 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2010-10-28 20:14 . 2010-08-24 13:57 386712 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2010-10-28 20:14 . 2010-08-24 13:57 312904 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2010-10-28 20:14 . 2010-08-24 13:57 164808 ----a-w- c:\windows\system32\drivers\mfewfpk.sys
    2010-10-28 20:14 . 2010-08-24 13:57 152992 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2010-10-18 07:16 . 2009-07-24 14:51 101248 ----a-w- c:\windows\system32\drivers\ewusbdev.sys
    2010-10-18 07:16 . 2009-06-22 19:01 112128 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
    2010-10-18 07:16 . 2009-06-22 18:38 102912 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
    2010-10-18 07:16 . 2007-08-09 03:06 23424 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
    2010-10-18 07:16 . 2010-10-18 07:16 -------- d-----w- c:\program files\3MobileWiFi
    2010-10-17 07:32 . 2010-08-10 15:53 274944 ----a-w- c:\windows\system32\schannel.dll
    2010-10-17 07:32 . 2010-09-13 13:56 168960 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
    2010-10-17 07:32 . 2010-09-13 13:56 8147456 ----a-w- c:\windows\system32\wmploc.DLL
    2010-10-17 07:31 . 2010-09-06 16:20 125952 ----a-w- c:\windows\system32\srvsvc.dll
    2010-10-17 07:31 . 2010-09-06 13:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-10-17 07:31 . 2010-09-06 13:45 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
    2010-10-17 07:31 . 2010-09-06 13:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
    2010-10-17 07:31 . 2010-09-06 16:19 17920 ----a-w- c:\windows\system32\netevent.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-10-19 10:41 . 2010-02-21 19:48 222080 ------w- c:\windows\system32\MpSigStub.exe
    2010-10-03 22:43 . 2010-10-03 22:43 59240 ----a-w- c:\windows\system32\drivers\RapportKELL.sys
    2010-08-26 16:33 . 2010-10-28 20:31 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
    2010-08-26 16:33 . 2010-10-28 20:31 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
    2010-08-26 16:33 . 2010-10-28 20:31 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
    2010-08-26 16:33 . 2010-10-28 20:31 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
    2010-08-17 14:11 . 2010-09-16 20:19 128000 ----a-w- c:\windows\system32\spoolsv.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Mobile Partner"="c:\program files\3MobileWiFi\3MobileWiFi" [X]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-20 39408]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-09-04 200704]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-17 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-17 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-17 145944]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-11-20 3563520]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-01 30192]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2008-10-21 1032640]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2008-09-17 442460]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "O2Start"="c:\program files\O2CM-CE\O2 Connection Manager\tscui.exe" [2010-01-04 2998272]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-10 1193848]

    c:\users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656]
    Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1996-12-9 111376]
    Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-12-9 51984]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2009-2-5 303104]

    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2008-9-24 1295656]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2008-12-20 19:57 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring"=dword:00000001

    R2 gupdate1ca1d1e8db7876d;Google Update Service (gupdate1ca1d1e8db7876d);c:\program files\Google\Update\GoogleUpdate.exe [2009-08-14 133104]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [2010-05-20 88176]
    R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x]
    R3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\DRIVERS\ewusbnet.sys [2009-06-22 112128]
    R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-09-01 30192]
    R3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\DRIVERS\ewusbdev.sys [2009-07-24 101248]
    R3 massfilter;ZTE Mass Storage Filter Driver;c:\windows\system32\drivers\massfilter.sys [2009-04-27 9216]
    R3 ZTEusbnet;ZTE USB-NDIS miniport;c:\windows\system32\DRIVERS\ZTEusbnet.sys [2009-07-21 114688]
    S0 RapportKELL;RapportKELL;c:\windows\System32\Drivers\RapportKELL.sys [2010-10-03 59240]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-08-24 64304]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-08-24 164808]
    S1 RapportCerberus_19917;RapportCerberus_19917;c:\programdata\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys [2010-10-03 34792]
    S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-10-03 169320]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_85b55258\aestsrv.exe [2008-09-17 73728]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-09-24 155648]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-08-24 188136]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2010-08-24 141792]
    S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-10-03 767208]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-08-24 55840]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-08-24 312904]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-08-24 84264]


    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-14 20:33]

    2010-11-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-08-14 20:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.orange.co.uk
    uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
    IE: orange search - file://c:\program files\ORANGE4\Cache\SelectedContextSearch.htm
    IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
    DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} - hxxp://www3.snapfish.co.uk/SnapfishActivia3.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-11-03 21:22
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,28,2c,e3,0f,5c,7a,41,9f,b2,68,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,56,28,2c,e3,0f,5c,7a,41,9f,b2,68,\

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-11-03 21:25:14
    ComboFix-quarantined-files.txt 2010-11-03 21:25

    Pre-Run: 175,737,823,232 bytes free
    Post-Run: 175,106,732,032 bytes free

    - - End Of File - - 42017BA6AE8DC0428DC048342194A9CF
     
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Unless you willingly installed Kontiki Player....
    Go Start>Control Panel>Add\Remove ("Programs and Features" in Vista), and uninstall Sky Anytime (if present).
    Download, and run KClean.exe: http://static.sky.com/kclean/KClean.exe to remove Kontiki from your computer.
    NOTE: Kontiki is a known resource hog.

    =========================================================================

    Combofix log looks good :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  14. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    Jeez, give a guy a chance... ;)

    ComboFix took quite a while to go through its motions :stickout:

    In all seriousness, thanks for the continued support :grinthumb
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    You're welcome :)
     
  16. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    Step 9: OTL

    Completed (skipped the Sky Anytime uninstall as it's there for a reason), logs as follows:

    [OTL]


    OTL logfile created on: 03/11/2010 21:57:42 - Run 1
    OTL by OldTimer - Version 3.2.17.2 Folder = C:\Users\Nicky\Downloads
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18975)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free
    6.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 223.08 Gb Total Space | 163.05 Gb Free Space | 73.09% Space Free | Partition Type: NTFS
    Drive E: | 9.77 Gb Total Space | 4.57 Gb Free Space | 46.77% Space Free | Partition Type: NTFS

    Computer Name: NICKY-PC | User Name: Nicky | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2010/11/03 21:39:11 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Nicky\Downloads\OTL.exe
    PRC - [2010/10/03 22:43:16 | 001,266,920 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
    PRC - [2010/10/03 22:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
    PRC - [2010/09/10 20:59:12 | 001,193,848 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
    PRC - [2010/09/01 20:28:43 | 000,030,192 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    PRC - [2010/08/24 13:57:38 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    PRC - [2010/08/24 13:57:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    PRC - [2010/08/24 13:57:38 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
    PRC - [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    PRC - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
    PRC - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
    PRC - [2010/01/04 11:49:50 | 002,998,272 | ---- | M] (O2) -- C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe
    PRC - [2009/04/11 06:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2008/12/20 19:51:24 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    PRC - [2008/10/21 09:26:10 | 003,068,352 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KService.exe
    PRC - [2008/10/21 09:26:10 | 001,032,640 | ---- | M] (Kontiki Inc.) -- C:\Program Files\Kontiki\KHost.exe
    PRC - [2008/10/04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    PRC - [2008/10/04 19:58:02 | 000,206,064 | ---- | M] (SupportSoft, Inc.) -- C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    PRC - [2008/09/24 04:09:52 | 001,295,656 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DellDock.exe
    PRC - [2008/09/24 04:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
    PRC - [2008/09/17 05:17:20 | 000,442,460 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
    PRC - [2008/09/17 05:17:12 | 000,225,362 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_85b55258\stacsv.exe
    PRC - [2008/09/17 05:17:02 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_85b55258\AEstSrv.exe
    PRC - [2008/09/04 05:29:18 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
    PRC - [2008/09/04 05:29:10 | 000,200,704 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
    PRC - [2008/09/04 05:29:10 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
    PRC - [2008/09/04 05:29:10 | 000,046,376 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApMsgFwd.exe
    PRC - [2008/05/23 20:06:08 | 000,128,296 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    PRC - [2008/05/07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    PRC - [2008/05/07 23:41:12 | 000,178,712 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    PRC - [2007/01/30 12:02:00 | 000,303,104 | ---- | M] (FUJIFILM Corporation) -- C:\Program Files\FinePixViewer\QuickDCF2.exe
    PRC - [1996/12/09 00:00:00 | 000,111,376 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    PRC - [1996/12/09 00:00:00 | 000,051,984 | ---- | M] () -- C:\Program Files\Microsoft Office\Office\OSA.EXE


    ========== Modules (SafeList) ==========

    MOD - [2010/11/03 21:39:11 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Nicky\Downloads\OTL.exe
    MOD - [2010/10/03 22:43:42 | 000,431,336 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
    MOD - [2010/08/31 15:43:52 | 001,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll
    MOD - [2010/07/14 12:30:14 | 000,018,688 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll


    ========== Win32 Services (SafeList) ==========

    SRV - [2010/10/03 22:43:16 | 000,767,208 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
    SRV - [2010/09/01 20:28:43 | 000,030,192 | ---- | M] (Google) [On_Demand | Stopped] -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-051210-111108)
    SRV - [2010/08/24 13:57:38 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
    SRV - [2010/08/24 13:57:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
    SRV - [2010/08/24 13:57:38 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\Windows\System32\mfevtps.exe -- (mfevtp)
    SRV - [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
    SRV - [2010/05/20 16:19:16 | 000,088,176 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
    SRV - [2010/04/15 08:45:10 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McProxy)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNASvc)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (McNaiAnn)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe -- (mcmscsvc)
    SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
    SRV - [2009/09/25 01:27:04 | 000,793,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
    SRV - [2008/12/20 19:57:51 | 000,016,680 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) [On_Demand | Stopped] -- C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe -- (GoToAssist)
    SRV - [2008/10/21 09:26:10 | 003,068,352 | ---- | M] (Kontiki Inc.) [Auto | Running] -- C:\Program Files\Kontiki\KService.exe -- (KService)
    SRV - [2008/10/04 19:58:04 | 000,201,968 | ---- | M] (SupportSoft, Inc.) [Auto | Running] -- C:\Program Files\Dell Support Center\bin\sprtsvc.exe -- (sprtsvc_DellSupportCenter) SupportSoft Sprocket Service (DellSupportCenter)
    SRV - [2008/09/24 04:09:52 | 000,155,648 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
    SRV - [2008/09/17 05:17:12 | 000,225,362 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_85b55258\stacsv.exe -- (STacSV)
    SRV - [2008/09/17 05:17:02 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_85b55258\AEstSrv.exe -- (AESTFilters)
    SRV - [2008/05/07 23:41:14 | 000,354,840 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
    SRV - [2008/01/21 02:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\Nicky\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - [2010/10/03 22:54:04 | 000,034,792 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\ProgramData\Trusteer\Rapport\store\exts\RapportCerberus\19917\RapportCerberus_19917.sys -- (RapportCerberus_19917)
    DRV - [2010/10/03 22:43:44 | 000,169,320 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
    DRV - [2010/10/03 22:43:44 | 000,059,240 | ---- | M] (Trusteer Ltd.) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\RapportKELL.sys -- (RapportKELL)
    DRV - [2010/08/24 13:57:38 | 000,386,712 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2010/08/24 13:57:38 | 000,312,904 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfefirek.sys -- (mfefirek)
    DRV - [2010/08/24 13:57:38 | 000,164,808 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfewfpk.sys -- (mfewfpk)
    DRV - [2010/08/24 13:57:38 | 000,152,992 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2010/08/24 13:57:38 | 000,095,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2010/08/24 13:57:38 | 000,084,264 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mferkdet.sys -- (mferkdet)
    DRV - [2010/08/24 13:57:38 | 000,064,304 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\mfenlfk.sys -- (mfenlfk)
    DRV - [2010/08/24 13:57:38 | 000,055,840 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cfwids.sys -- (cfwids)
    DRV - [2010/08/24 13:57:38 | 000,052,104 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2009/07/24 14:51:38 | 000,101,248 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbdev.sys -- (hwusbdev)
    DRV - [2009/07/21 13:04:04 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbser6k.sys -- (ZTEusbser6k)
    DRV - [2009/07/21 13:04:04 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnmea.sys -- (ZTEusbnmea)
    DRV - [2009/07/21 13:04:04 | 000,105,088 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbmdm6k.sys -- (ZTEusbmdm6k)
    DRV - [2009/07/21 08:16:40 | 000,114,688 | ---- | M] (ZTE Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ZTEusbnet.sys -- (ZTEusbnet)
    DRV - [2009/06/22 19:01:02 | 000,112,128 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbnet.sys -- (ewusbnet)
    DRV - [2009/06/22 18:38:24 | 000,102,912 | ---- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard)
    DRV - [2009/04/27 13:15:04 | 000,009,216 | ---- | M] (ZTE Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\massfilter.sys -- (massfilter)
    DRV - [2008/11/20 10:19:34 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
    DRV - [2008/10/27 11:25:50 | 001,207,288 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
    DRV - [2008/09/17 05:23:10 | 002,369,536 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
    DRV - [2008/09/17 05:17:22 | 000,382,976 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
    DRV - [2008/09/04 05:29:08 | 000,170,032 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
    DRV - [2008/09/02 09:19:22 | 000,069,664 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTSTOR.sys -- (RTSTOR)
    DRV - [2008/09/01 10:19:40 | 000,304,128 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh)
    DRV - [2008/09/01 10:15:54 | 000,317,976 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)
    DRV - [2008/01/21 02:23:27 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR)
    DRV - [2008/01/21 02:23:27 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
    DRV - [2008/01/21 02:23:27 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
    DRV - [2008/01/21 02:23:26 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
    DRV - [2008/01/21 02:23:26 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
    DRV - [2008/01/21 02:23:26 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
    DRV - [2008/01/21 02:23:25 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
    DRV - [2008/01/21 02:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
    DRV - [2008/01/21 02:23:25 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
    DRV - [2008/01/21 02:23:24 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
    DRV - [2008/01/21 02:23:24 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R)
    DRV - [2008/01/21 02:23:24 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
    DRV - [2008/01/21 02:23:23 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
    DRV - [2008/01/21 02:23:23 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
    DRV - [2008/01/21 02:23:23 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
    DRV - [2008/01/21 02:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
    DRV - [2008/01/21 02:23:23 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
    DRV - [2008/01/21 02:23:23 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc)
    DRV - [2008/01/21 02:23:22 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
    DRV - [2008/01/21 02:23:21 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
    DRV - [2008/01/21 02:23:21 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
    DRV - [2008/01/21 02:23:21 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
    DRV - [2008/01/21 02:23:20 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
    DRV - [2008/01/21 02:23:00 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
    DRV - [2008/01/21 02:23:00 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
    DRV - [2008/01/21 02:23:00 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
    DRV - [2006/11/02 09:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
    DRV - [2006/11/02 09:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
    DRV - [2006/11/02 09:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
    DRV - [2006/11/02 09:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
    DRV - [2006/11/02 09:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
    DRV - [2006/11/02 09:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
    DRV - [2006/11/02 09:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
    DRV - [2006/11/02 09:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
    DRV - [2006/11/02 09:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
    DRV - [2006/11/02 09:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
    DRV - [2006/11/02 09:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
    DRV - [2006/11/02 08:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
    DRV - [2006/11/02 08:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
    DRV - [2006/11/02 08:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
    DRV - [2006/11/02 08:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
    DRV - [2006/11/02 08:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
    DRV - [2006/11/02 08:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
    DRV - [2006/11/02 07:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
    DRV - [2006/11/02 07:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
    DRV - [2003/12/08 11:53:48 | 000,053,600 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\alcan5wn.sys -- (alcan5wn) SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)
    DRV - [2003/12/08 11:53:46 | 000,070,688 | ---- | M] (THOMSON) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\alcaudsl.sys -- (alcaudsl)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========


    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk
    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1
    IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/11/03 20:48:10 | 000,000,000 | ---D | M]


    O1 HOSTS File: ([2010/11/03 21:22:15 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
    O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll (Sun Microsystems, Inc.)
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\McAfee\SystemCore\ScriptSn.20101028211503.dll (McAfee, Inc.)
    O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5805.1910\swg.dll (Google Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll (Dell Inc.)
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O3 - HKLM\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
    O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
    O4 - HKLM..\Run: [dellsupportcenter] C:\Program Files\Dell Support Center\bin\sprtcmd.exe (SupportSoft, Inc.)
    O4 - HKLM..\Run: [Google Desktop Search] C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (Google)
    O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (Intel Corporation)
    O4 - HKLM..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
    O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [O2Start] C:\Program Files\O2CM-CE\O2 Connection Manager\tscui.exe (O2)
    O4 - HKLM..\Run: [PDVDDXSrv] C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe (CyberLink Corp.)
    O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
    O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
    O4 - HKCU..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe (Kontiki Inc.)
    O4 - HKCU..\Run: [Mobile Partner] File not found
    O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
    O4 - Startup: C:\Users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
    O4 - Startup: C:\Users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
    O4 - Startup: C:\Users\Nicky\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE ()
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 157
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll (Google Inc.)
    O8 - Extra context menu item: orange search - C:\Program Files\ORANGE4\Cache\SelectedContextSearch.htm ()
    O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll (Sun Microsystems, Inc.)
    O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - File not found
    O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
    O15 - HKCU\..Trusted Domains: localhost ([]http in Local intranet)
    O15 - HKCU\..Trusted Ranges: GD ([http] in Local intranet)
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://www3.snapfish.co.uk/SnapfishUKActivia.cab (Snapfish Activia)
    O16 - DPF: {4ECE056F-E50F-4F9D-B069-EB342D21F26A} http://www3.snapfish.co.uk/SnapfishActivia3.cab (Snapfish Activia3)
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab (Facebook Photo Uploader 5 Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Java Plug-in 1.6.0_07)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.1.1
    O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Filter\application/x-internet-signup {A173B69A-1F9B-4823-9FDA-412F641E65D6} - C:\Program Files\Tiscali\Tiscali Internet\dlls\tiscalifilter.dll ()
    O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\GoToAssist: DllName - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll - C:\Program Files\Citrix\GoToAssist\514\g2awinlogon.dll (Citrix Online, a division of Citrix Systems, Inc.)
    O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
    O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg
    O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*

    NetSvcs: FastUserSwitchingCompatibility - File not found
    NetSvcs: Ias - File not found
    NetSvcs: Nla - File not found
    NetSvcs: Ntmssvc - File not found
    NetSvcs: NWCWorkstation - File not found
    NetSvcs: Nwsapagent - File not found
    NetSvcs: SRService - File not found
    NetSvcs: WmdmPmSp - File not found
    NetSvcs: LogonHours - File not found
    NetSvcs: PCAudit - File not found
    NetSvcs: helpsvc - File not found
    NetSvcs: uploadmgr - File not found

    Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
    Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)
    Drivers32: vidc.DIVX - C:\Windows\System32\DivX.dll (DivX, Inc.)
    Drivers32: vidc.yv12 - C:\Windows\System32\DivX.dll (DivX, Inc.)

    CREATERESTOREPOINT
    Restore point Set: OTL Restore Point

    ========== Files/Folders - Created Within 30 Days ==========

    [2010/11/03 21:25:22 | 000,000,000 | -HSD | C] -- C:\$RECYCLE.BIN
    [2010/11/03 21:25:17 | 000,000,000 | ---D | C] -- C:\Windows\temp
    [2010/11/03 21:07:49 | 000,161,792 | ---- | C] (SteelWerX) -- C:\Windows\SWREG.exe
    [2010/11/03 21:07:48 | 000,136,704 | ---- | C] (SteelWerX) -- C:\Windows\SWSC.exe
    [2010/11/03 21:07:42 | 000,000,000 | ---D | C] -- C:\Windows\ERDNT
    [2010/11/03 21:07:40 | 000,000,000 | ---D | C] -- C:\ComboFix
    [2010/11/03 21:06:55 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2010/11/03 21:06:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\Windows\SWXCACLS.exe
    [2010/11/03 21:06:27 | 000,000,000 | ---D | C] -- C:\32788R22FWJFW
    [2010/10/31 21:57:22 | 000,000,000 | ---D | C] -- C:\Users\Nicky\AppData\Roaming\Malwarebytes
    [2010/10/31 21:57:02 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
    [2010/10/31 21:57:01 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
    [2010/10/31 21:57:01 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2010/10/31 21:57:01 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
    [2010/10/28 20:15:03 | 000,009,344 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeclnk.sys
    [2010/10/28 20:14:53 | 000,141,792 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\mfevtps.exe
    [2010/10/28 20:14:45 | 000,386,712 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfehidk.sys
    [2010/10/28 20:14:45 | 000,312,904 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfefirek.sys
    [2010/10/28 20:14:45 | 000,164,808 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfewfpk.sys
    [2010/10/28 20:14:45 | 000,152,992 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys
    [2010/10/28 20:14:45 | 000,095,600 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeapfk.sys
    [2010/10/28 20:14:45 | 000,084,264 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdet.sys
    [2010/10/28 20:14:45 | 000,064,304 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfenlfk.sys
    [2010/10/28 20:14:45 | 000,055,840 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\cfwids.sys
    [2010/10/28 20:14:45 | 000,052,104 | ---- | C] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys
    [2010/10/18 07:16:25 | 000,112,128 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbnet.sys
    [2010/10/18 07:16:25 | 000,102,912 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbmdm.sys
    [2010/10/18 07:16:25 | 000,101,248 | ---- | C] (Huawei Technologies Co., Ltd.) -- C:\Windows\System32\drivers\ewusbdev.sys
    [2010/10/18 07:16:25 | 000,023,424 | ---- | C] (Huawei Tech. Co., Ltd.) -- C:\Windows\System32\drivers\ewdcsc.sys
    [2010/10/18 07:16:08 | 000,000,000 | ---D | C] -- C:\Program Files\3MobileWiFi
    [1 C:\Users\Nicky\Documents\*.tmp files -> C:\Users\Nicky\Documents\*.tmp -> ]

    ========== Files - Modified Within 30 Days ==========

    [2010/11/03 21:47:34 | 000,604,520 | ---- | M] () -- C:\Windows\System32\perfh009.dat
    [2010/11/03 21:47:34 | 000,107,796 | ---- | M] () -- C:\Windows\System32\perfc009.dat
    [2010/11/03 21:43:35 | 000,001,737 | ---- | M] () -- C:\Users\Public\Desktop\McAfee Internet Security.lnk
    [2010/11/03 21:42:26 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
    [2010/11/03 21:42:04 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
    [2010/11/03 21:42:04 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
    [2010/11/03 21:41:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
    [2010/11/03 21:41:52 | 3181,760,512 | -HS- | M] () -- C:\hiberfil.sys
    [2010/11/03 21:22:15 | 000,000,027 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
    [2010/11/03 21:20:08 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
    [2010/11/03 18:36:29 | 000,088,064 | ---- | M] () -- C:\Windows\MBR.exe
    [2010/11/01 19:33:35 | 000,087,552 | ---- | M] () -- C:\Users\Nicky\Documents\CV[1].doc
    [2010/10/31 21:57:05 | 000,000,820 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/10/28 20:29:21 | 000,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
    [2010/10/18 15:21:08 | 000,277,960 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
    [1 C:\Users\Nicky\Documents\*.tmp files -> C:\Users\Nicky\Documents\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2010/11/03 21:07:49 | 000,256,512 | ---- | C] () -- C:\Windows\PEV.exe
    [2010/11/03 21:07:49 | 000,098,816 | ---- | C] () -- C:\Windows\sed.exe
    [2010/11/03 21:07:49 | 000,088,064 | ---- | C] () -- C:\Windows\MBR.exe
    [2010/11/03 21:07:49 | 000,080,412 | ---- | C] () -- C:\Windows\grep.exe
    [2010/11/03 21:07:49 | 000,068,096 | ---- | C] () -- C:\Windows\zip.exe
    [2010/10/31 21:57:05 | 000,000,820 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
    [2010/10/29 19:08:56 | 000,001,737 | ---- | C] () -- C:\Users\Public\Desktop\McAfee Internet Security.lnk
    [2009/09/25 19:35:57 | 000,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
    [2009/08/25 14:54:32 | 000,033,664 | ---- | C] () -- C:\Windows\System32\drivers\TsWlan.sys
    [2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
    [2009/02/27 18:38:40 | 000,008,248 | ---- | C] () -- C:\Users\Nicky\AppData\Local\en.ini
    [2009/02/19 19:40:01 | 000,005,972 | ---- | C] () -- C:\Users\Nicky\AppData\Local\d3d9caps.dat
    [2009/02/13 19:14:07 | 000,024,576 | ---- | C] () -- C:\Users\Nicky\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2009/02/05 18:53:06 | 000,005,606 | ---- | C] () -- C:\Windows\System32\stci.dll
    [2008/12/20 21:25:10 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1489.dll
    [2008/12/20 19:46:02 | 000,055,808 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
    [2006/11/02 12:35:32 | 000,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
    [2006/11/02 10:25:44 | 000,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
    [2006/11/02 07:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
    [1996/12/09 00:00:00 | 000,022,016 | ---- | C] () -- C:\Windows\System32\DOCOBJ.DLL
    [1996/12/09 00:00:00 | 000,012,288 | ---- | C] () -- C:\Windows\System32\HLINKPRX.DLL

    ========== LOP Check ==========

    [2009/02/06 21:38:20 | 000,000,000 | ---D | M] -- C:\Users\Nicky\AppData\Roaming\FUJIFILM
    [2010/04/12 19:47:26 | 000,000,000 | ---D | M] -- C:\Users\Nicky\AppData\Roaming\Tatara Systems
    [2010/02/07 21:08:14 | 000,000,000 | ---D | M] -- C:\Users\Nicky\AppData\Roaming\Trusteer
    [2010/11/03 21:41:10 | 000,032,624 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

    ========== Purity Check ==========



    ========== Custom Scans ==========


    < %SYSTEMDRIVE%\*.* >
    [2006/09/18 21:43:36 | 000,000,024 | ---- | M] () -- C:\autoexec.bat
    [2009/04/11 06:36:36 | 000,333,257 | RHS- | M] () -- C:\bootmgr
    [2010/11/03 21:25:14 | 000,013,538 | ---- | M] () -- C:\ComboFix.txt
    [2006/09/18 21:43:37 | 000,000,010 | ---- | M] () -- C:\config.sys
    [2008/12/20 21:25:21 | 000,003,282 | RH-- | M] () -- C:\dell.sdr
    [2009/02/11 21:51:37 | 000,004,717 | -H-- | M] () -- C:\ffastun.ffa
    [2009/02/11 21:51:37 | 000,212,992 | -H-- | M] () -- C:\ffastun.ffl
    [2009/02/11 21:51:37 | 000,081,920 | -H-- | M] () -- C:\ffastun.ffo
    [2009/02/11 21:51:37 | 003,280,896 | -H-- | M] () -- C:\ffastun0.ffx
    [2010/11/03 21:41:52 | 3181,760,512 | -HS- | M] () -- C:\hiberfil.sys
    [2009/02/05 19:30:08 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
    [2009/02/05 19:30:08 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
    [2010/11/03 21:41:50 | 3495,567,360 | -HS- | M] () -- C:\pagefile.sys

    < %systemroot%\Fonts\*.com >
    [2006/11/02 12:37:12 | 000,026,040 | ---- | M] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
    [2006/11/02 12:37:12 | 000,026,489 | ---- | M] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
    [2006/11/02 12:37:12 | 000,029,779 | ---- | M] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
    [2010/02/21 14:32:43 | 000,037,665 | ---- | M] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont

    < %systemroot%\Fonts\*.dll >

    < %systemroot%\Fonts\*.ini >
    [2006/09/18 21:37:34 | 000,000,065 | ---- | M] () -- C:\Windows\Fonts\desktop.ini

    < %systemroot%\Fonts\*.ini2 >

    < %systemroot%\Fonts\*.exe >

    < %systemroot%\system32\spool\prtprocs\w32x86\*.* >
    [2006/11/02 12:35:48 | 000,022,528 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\spool\prtprocs\w32x86\jnwppr.dll

    < %systemroot%\REPAIR\*.bak1 >

    < %systemroot%\REPAIR\*.ini >

    < %systemroot%\system32\*.jpg >

    < %systemroot%\*.jpg >

    < %systemroot%\*.png >

    < %systemroot%\*.scr >

    < %systemroot%\*._sy >

    < %APPDATA%\Adobe\Update\*.* >

    < %ALLUSERSPROFILE%\Favorites\*.* >

    < %APPDATA%\Microsoft\*.* >

    < %PROGRAMFILES%\*.* >
    [2008/01/21 02:43:21 | 000,000,174 | -HS- | M] () -- C:\Program Files\desktop.ini

    < %APPDATA%\Update\*.* >

    < %systemroot%\*. /mp /s >

    < %systemroot%\System32\config\*.sav >
    [2008/01/21 03:14:18 | 016,846,848 | ---- | M] () -- C:\Windows\System32\config\COMPONENTS.SAV
    [2008/01/21 03:14:08 | 000,106,496 | ---- | M] () -- C:\Windows\System32\config\DEFAULT.SAV
    [2008/01/21 03:14:18 | 000,020,480 | ---- | M] () -- C:\Windows\System32\config\SECURITY.SAV
    [2006/11/02 10:34:08 | 010,133,504 | ---- | M] () -- C:\Windows\System32\config\SOFTWARE.SAV
    [2006/11/02 10:34:08 | 001,826,816 | ---- | M] () -- C:\Windows\System32\config\SYSTEM.SAV

    < %PROGRAMFILES%\bak. /s >

    < %systemroot%\system32\bak. /s >

    < %ALLUSERSPROFILE%\Start Menu\*.lnk /x >

    < %systemroot%\system32\config\systemprofile\*.dat /x >

    < %systemroot%\*.config >

    < %systemroot%\system32\*.db >

    < %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
    [2010/09/05 08:08:07 | 000,000,286 | -HS- | M] () -- C:\Users\Nicky\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

    < %USERPROFILE%\Desktop\*.exe >

    < %PROGRAMFILES%\Common Files\*.* >

    < %systemroot%\*.src >

    < %systemroot%\install\*.* >

    < %systemroot%\system32\DLL\*.* >

    < %systemroot%\system32\HelpFiles\*.* >

    < %systemroot%\system32\rundll\*.* >

    < %systemroot%\winn32\*.* >

    < %systemroot%\Java\*.* >

    < %systemroot%\system32\test\*.* >

    < %systemroot%\system32\Rundll32\*.* >

    < %systemroot%\AppPatch\Custom\*.* >

    < %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

    < %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

    < %PROGRAMFILES%\Internet Explorer\*.tmp >

    < %PROGRAMFILES%\Internet Explorer\*.dat >

    < %USERPROFILE%\My Documents\*.exe >

    < %USERPROFILE%\*.exe >

    < %systemroot%\ADDINS\*.* >

    < %systemroot%\assembly\*.bak2 >

    < %systemroot%\Config\*.* >

    < %systemroot%\REPAIR\*.bak2 >

    < %systemroot%\SECURITY\Database\*.sdb /x >

    < %systemroot%\SYSTEM\*.bak2 >

    < %systemroot%\Web\*.bak2 >

    < %systemroot%\Driver Cache\*.* >

    < %PROGRAMFILES%\Mozilla Firefox\0*.exe >

    < %ProgramFiles%\Microsoft Common\*.* >

    < %ProgramFiles%\TinyProxy. >

    < %USERPROFILE%\Favorites\*.url /x >
    [2009/02/05 18:46:32 | 000,000,402 | -HS- | M] () -- C:\Users\Nicky\Favorites\desktop.ini
    [2010/09/05 08:08:24 | 000,000,405 | ---- | M] () -- C:\Users\Nicky\Favorites\Documents.lnk

    < %systemroot%\system32\*.bk >

    < %systemroot%\*.te >

    < %systemroot%\system32\system32\*.* >

    < %ALLUSERSPROFILE%\*.dat /x >

    < %systemroot%\system32\drivers\*.rmv >

    < dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

    < dir /b "%systemroot%\*.exe" | find /i " " /c >

    < %PROGRAMFILES%\Microsoft\*.* >

    < %systemroot%\System32\Wbem\proquota.exe >

    < %PROGRAMFILES%\Mozilla Firefox\*.dat >

    < %USERPROFILE%\Cookies\*.txt /x >

    < %SystemRoot%\system32\fonts\*.* >

    < %systemroot%\system32\winlog\*.* >

    < %systemroot%\system32\Language\*.* >

    < %systemroot%\system32\Settings\*.* >

    < %systemroot%\system32\*.quo >

    < %SYSTEMROOT%\AppPatch\*.exe >

    < %SYSTEMROOT%\inf\*.exe >

    < %SYSTEMROOT%\Installer\*.exe >

    < %systemroot%\system32\config\*.bak2 >

    < %systemroot%\system32\Computers\*.* >

    < %SystemRoot%\system32\Sound\*.* >

    < %SystemRoot%\system32\SpecialImg\*.* >

    < %SystemRoot%\system32\code\*.* >

    < %SystemRoot%\system32\draft\*.* >

    < %SystemRoot%\system32\MSSSys\*.* >

    < %ProgramFiles%\Javascript\*.* >

    < %systemroot%\pchealth\helpctr\System\*.exe /s >

    < %systemroot%\Web\*.exe >

    < %systemroot%\system32\msn\*.* >

    < %systemroot%\system32\*.tro >

    < %AppData%\Microsoft\Installer\msupdates\*.* >

    < %ProgramFiles%\Messenger\*.* >

    < %systemroot%\system32\systhem32\*.* >

    < %systemroot%\system\*.exe >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

    < HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >


    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\stuff_0022.avi:TOC.WMV
    @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\stuff_0018.avi:TOC.WMV
    @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\stuff_0017.avi:TOC.WMV
    @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\Kefalonia_0037.avi:TOC.WMV
    @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\Kefalonia_0017.avi:TOC.WMV
    @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\Kefalonia_0016.avi:TOC.WMV

    < End of report >
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Say again?

    You posted OTL.txt twice (I deleted one post). I still need Extras.txt
     
  18. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    At the top of you reply advising to use OTL you mentioned uninstalling some Sky software.

    I had noticed that and had edited the duplicate to include the Extras.txt but you must have deleted it while I was re-posting, you're far too efficient! :)

    As soon as I'm back home I'll post it again.
     
  19. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    [Extras]


    OTL Extras logfile created on: 03/11/2010 21:57:42 - Run 1
    OTL by OldTimer - Version 3.2.17.2 Folder = C:\Users\Nicky\Downloads
    Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
    Internet Explorer (Version = 8.0.6001.18975)
    Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

    3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 63.00% Memory free
    6.00 Gb Paging File | 5.00 Gb Available in Paging File | 79.00% Paging File free
    Paging file location(s): ?:\pagefile.sys [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
    Drive C: | 223.08 Gb Total Space | 163.05 Gb Free Space | 73.09% Space Free | Partition Type: NTFS
    Drive E: | 9.77 Gb Total Space | 4.57 Gb Free Space | 46.77% Space Free | Partition Type: NTFS

    Computer Name: NICKY-PC | User Name: Nicky | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Extra Registry (SafeList) ==========


    ========== File Associations ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
    .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

    ========== Shell Spawning ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
    batfile [open] -- "%1" %*
    cmdfile [open] -- "%1" %*
    comfile [open] -- "%1" %*
    exefile [open] -- "%1" %*
    helpfile [open] -- Reg Error: Key error.
    hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
    htmlfile [edit] -- Reg Error: Key error.
    piffile [open] -- "%1" %*
    regfile [merge] -- Reg Error: Key error.
    scrfile [config] -- "%1"
    scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
    scrfile [open] -- "%1" /S
    txtfile [edit] -- Reg Error: Key error.
    Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
    Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
    Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
    Directory [FinePix] -- "C:\Program Files\FinePixViewer\FinePixViewer.exe" "%1" (FUJIFILM Corporation)
    Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
    Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
    Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

    ========== Security Center Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
    "cval" = 1
    "FirewallDisableNotify" = 0
    "AntiVirusDisableNotify" = 0
    "UpdatesDisableNotify" = 0

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
    "DisableMonitoring" = 1

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
    "AntiVirusOverride" = 0
    "AntiSpywareOverride" = 0
    "FirewallOverride" = 0
    "VistaSp1" = Reg Error: Unknown registry data type -- File not found
    "VistaSp2" = Reg Error: Unknown registry data type -- File not found

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

    ========== System Restore Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
    "DisableSR" = 0

    ========== Firewall Settings ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
    "EnableFirewall" = 0
    "DisableNotifications" = 0

    ========== Authorized Applications List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


    ========== Vista Active Open Ports Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]

    ========== Vista Active Application Exception List ==========

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
    "{0F0C9E95-6A43-4E38-B966-61A2A0A2B12D}" = protocol=6 | dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
    "{40B83384-2809-4392-8D9A-6C0F0E102600}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{5295820A-AA35-4DF4-8795-55FC572FD49F}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
    "{58DAF945-3CB5-4B8F-B4EA-FCD55286FA0C}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\powerdvd.exe |
    "{5A7E495A-1A09-4D9F-AA4C-00ABB061AE8B}" = protocol=17 | dir=in | app=c:\program files\kontiki\kservice.exe |
    "{5F6AB1F0-F3B5-48F0-AB15-0A5DB42E7B94}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
    "{847C2D09-CC32-4BAA-9AF8-E2961304638D}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{86C32541-C882-4883-A396-981AD7A4C5A5}" = dir=in | app=c:\program files\cyberlink\powerdvd dx\pdvddxsrv.exe |
    "{94E1105D-8026-41BC-87A4-D351E9B1AF74}" = protocol=6 | dir=in | app=c:\program files\kontiki\kservice.exe |
    "{9D6A58B2-1294-485C-978F-6959ED8372AF}" = dir=in | app=c:\program files\common files\mcafee\mcsvchost\mcsvhost.exe |
    "{9DF7ECAA-86EF-48DD-AB35-4E3268C69F44}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
    "{B0F293A2-D6BE-4EB4-AD94-D8A8A61B3083}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
    "{C105EEBE-030B-4ADE-B6A1-4B9068D65DDC}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
    "{CCB8AEF6-14F9-4F49-86C8-84B6E5BD3CAC}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |

    ========== HKEY_LOCAL_MACHINE Uninstall List ==========

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
    "{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
    "{08E81ABD-79F7-49C2-881F-FD6CB0975693}" = Roxio Creator Data
    "{09760D42-E223-42AD-8C3E-55B47D0DDAC3}" = Roxio Creator DE
    "{0CB9668D-F979-4F31-B8B8-67FE90F929F8}" = Bonjour
    "{14C35072-D7D0-4B29-B5BF-C94E426D77E9}" = Sky Broadband
    "{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
    "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
    "{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
    "{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
    "{1F54DAFA-9261-4A62-B59D-6C9F26B48FE4}" = Roxio Creator Tools
    "{20C44F68-5CC1-4EF2-AC9F-744166861406}" = O2 Connection Manager
    "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
    "{24ED4D80-8294-11D5-96CD-0040266301AD}" = FinePixViewer Ver.5.4
    "{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
    "{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java(TM) 6 Update 7
    "{3D9892BB-A751-4E48-ADC8-E4289956CE1D}" = QuickTime
    "{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
    "{4B41AE13-BA0E-4328-8E83-AD2A0BEB33EB}" = Sky Player
    "{58B2B6D3-E5FF-4D16-87AC-52CC5717C7C6}" = Tiscali Internet
    "{62230596-37E5-4618-A329-0D21F529A86F}" = Browser Address Error Redirector
    "{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler 3
    "{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
    "{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
    "{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
    "{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
    "{6D3963B0-E13B-4FC3-B0FF-506A304BB043}" = Cisco EAP-FAST Module
    "{6FFB40A5-7F7D-4A32-8905-3CDF962EE1E4}" = Internet From BT
    "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
    "{73A4F29F-31AC-4EBD-AA1B-0CC5F18C8F83}" = Roxio Creator Audio
    "{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
    "{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    "{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
    "{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
    "{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
    "{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
    "{85991ED2-010C-4930-96FA-52F43C2CE98A}" = Apple Mobile Device Support
    "{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
    "{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
    "{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
    "{91F7F3F3-CE80-48C3-8327-7D24A0A5716A}" = iTunes
    "{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
    "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
    "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
    "{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
    "{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9
    "{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
    "{B2D328BE-45AD-4D92-96F9-2151490A203E}" = Apple Application Support
    "{B44529FF-501E-47CD-A06D-223C161BE058}" = FinePixViewer Resource
    "{B6A26DE5-F2B5-4D58-9570-4FC760E00FCD}" = Roxio Creator Copy
    "{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
    "{B935C985-A17F-484B-8470-09E4FC27DC26}" = Dell-eBay
    "{C39A4E1F-9AF1-4FE1-A80E-A5B867FABB42}" = Dell Best of Web
    "{C4972073-2BFE-475D-8441-564EA97DA161}" = QuickSet
    "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
    "{E3B3AB03-8ABC-46CF-8CA9-DB5581E1F368}" = FinePix Studio
    "{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center (Support Software)
    "{ED439A64-F018-4DD4-8BA5-328D85AB09AB}" = Roxio Creator DE
    "{F6CB42B9-F033-4152-8813-FF11DA8E6A78}" = Dell Dock
    "3MobileWiFi" = 3MobileWiFi
    "Adobe AIR" = Adobe AIR
    "Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
    "Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card Utility
    "com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
    "Excel" = Microsoft Excel 97
    "Google Chrome" = Google Chrome
    "Google Desktop" = Google Desktop
    "GoToAssist" = GoToAssist 8.0.0.514
    "Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
    "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
    "MSC" = McAfee Internet Security
    "orange4" = Orange Search Toolbar
    "Rapport_msi" = Rapport
    "Word8.0" = Microsoft Word 97
    "ZTE USB Driver" = ZTE USB Driver

    ========== Last 10 Event Log Errors ==========

    [ Application Events ]
    Error - 31/10/2010 12:58:15 | Computer Name = Nicky-PC | Source = Application Error | ID = 1000
    Description = Faulting application IEXPLORE.EXE, version 8.0.6001.18975, time stamp
    0x4c8710a6, faulting module 69AA.tmp_unloaded, version 0.0.0.0, time stamp 0x4cc77e36,
    exception code 0xc0000005, fault offset 0x050f2db0, process id 0xd00, application
    start time 0x01cb791cc66d0c75.

    Error - 31/10/2010 12:58:17 | Computer Name = Nicky-PC | Source = Application Error | ID = 1000
    Description = Faulting application IEXPLORE.EXE, version 8.0.6001.18975, time stamp
    0x4c8710a6, faulting module BAE.dll, version 1.2.0.3, time stamp 0x45536bde, exception
    code 0xc0000005, fault offset 0x00012db0, process id 0x5d0, application start time
    0x01cb791cc66f6dd5.

    Error - 31/10/2010 12:58:36 | Computer Name = Nicky-PC | Source = Application Error | ID = 1000
    Description = Faulting application IEXPLORE.EXE, version 8.0.6001.18975, time stamp
    0x4c8710a6, faulting module 69AA.tmp_unloaded, version 0.0.0.0, time stamp 0x4cc77e36,
    exception code 0xc0000005, fault offset 0x02f32db0, process id 0x17b0, application
    start time 0x01cb791cc23de1b5.

    Error - 31/10/2010 12:59:24 | Computer Name = Nicky-PC | Source = Application Error | ID = 1000
    Description = Faulting application IEXPLORE.EXE, version 8.0.6001.18975, time stamp
    0x4c8710a6, faulting module 69AA.tmp_unloaded, version 0.0.0.0, time stamp 0x4cc77e36,
    exception code 0xc0000005, fault offset 0x06eb2db0, process id 0x1564, application
    start time 0x01cb791cf2555045.

    Error - 31/10/2010 12:59:27 | Computer Name = Nicky-PC | Source = Application Error | ID = 1000
    Description = Faulting application IEXPLORE.EXE, version 8.0.6001.18975, time stamp
    0x4c8710a6, faulting module 69AA.tmp_unloaded, version 0.0.0.0, time stamp 0x4cc77e36,
    exception code 0xc0000005, fault offset 0x052b2db0, process id 0x157c, application
    start time 0x01cb791cf29a5825.

    Error - 31/10/2010 13:01:16 | Computer Name = Nicky-PC | Source = WinMgmt | ID = 10
    Description =

    Error - 31/10/2010 13:04:34 | Computer Name = Nicky-PC | Source = .NET Runtime Optimization Service | ID = 1111
    Description =

    Error - 31/10/2010 13:04:45 | Computer Name = Nicky-PC | Source = Application Error | ID = 1000
    Description = Faulting application IEXPLORE.EXE, version 8.0.6001.18975, time stamp
    0x4c8710a6, faulting module B8E2.tmp_unloaded, version 0.0.0.0, time stamp 0x4cc77e36,
    exception code 0xc0000005, fault offset 0x04522db0, process id 0x1228, application
    start time 0x01cb791db17e7280.

    Error - 31/10/2010 13:05:30 | Computer Name = Nicky-PC | Source = Application Error | ID = 1000
    Description = Faulting application IEXPLORE.EXE, version 8.0.6001.18975, time stamp
    0x4c8710a6, faulting module B8E2.tmp_unloaded, version 0.0.0.0, time stamp 0x4cc77e36,
    exception code 0xc0000005, fault offset 0x05ea2db0, process id 0xf28, application
    start time 0x01cb791dc99f82a0.

    Error - 31/10/2010 13:06:05 | Computer Name = Nicky-PC | Source = EventSystem | ID = 4621
    Description =

    [ Broadcom Wireless LAN Events ]
    Error - 29/10/2010 17:12:46 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 22:12:46, Fri, Oct 29, 10 Error - User "" does not have administrative
    privileges on this system

    Error - 30/10/2010 15:42:52 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 20:42:52, Sat, Oct 30, 10 Error - User "" does not have administrative
    privileges on this system

    Error - 30/10/2010 18:50:09 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 23:50:09, Sat, Oct 30, 10 Error - User "" does not have administrative
    privileges on this system

    Error - 31/10/2010 13:06:05 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 17:06:05, Sun, Oct 31, 10 Error - User "" does not have administrative
    privileges on this system

    Error - 31/10/2010 13:17:22 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 17:17:22, Sun, Oct 31, 10 Error - User "" does not have administrative
    privileges on this system

    Error - 31/10/2010 13:47:59 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 17:47:59, Sun, Oct 31, 10 Error - User "" does not have administrative
    privileges on this system

    Error - 31/10/2010 18:52:42 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 22:52:42, Sun, Oct 31, 10 Error - User "" does not have administrative
    privileges on this system

    Error - 01/11/2010 15:34:57 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 19:34:57, Mon, Nov 01, 10 Error - User "" does not have administrative
    privileges on this system

    Error - 01/11/2010 18:40:42 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 22:40:42, Mon, Nov 01, 10 Error - User "" does not have administrative
    privileges on this system

    Error - 03/11/2010 17:40:59 | Computer Name = Nicky-PC | Source = WLAN-Tray | ID = 0
    Description = 21:40:59, Wed, Nov 03, 10 Error - User "" does not have administrative
    privileges on this system

    [ System Events ]
    Error - 03/11/2010 17:09:31 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7034
    Description =

    Error - 03/11/2010 17:10:02 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 03/11/2010 17:21:34 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7034
    Description =

    Error - 03/11/2010 17:22:16 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7030
    Description =

    Error - 03/11/2010 17:43:39 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 03/11/2010 17:43:39 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 03/11/2010 17:43:39 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 03/11/2010 17:43:39 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 03/11/2010 17:43:39 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7000
    Description =

    Error - 03/11/2010 17:43:39 | Computer Name = Nicky-PC | Source = Service Control Manager | ID = 7022
    Description =


    < End of report >
     
  20. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    I see. That wasn't obligatory, just a warning...

    ========================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    ====================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O3 - HKLM\..\Toolbar: (no name) - {4E7BD74F-2B8D-469E-A6FB-F862B587B57D} - No CLSID value found.
      O4 - HKCU..\Run: [Mobile Partner] File not found
      O9 - Extra Button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - File not found
      O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
      O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found
      [1 C:\Users\Nicky\Documents\*.tmp files -> C:\Users\Nicky\Documents\*.tmp -> ]
      @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\stuff_0022.avi:TOC.WMV
      @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\stuff_0018.avi:TOC.WMV
      @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\stuff_0017.avi:TOC.WMV
      @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\Kefalonia_0037.avi:TOC.WMV
      @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\Kefalonia_0017.avi:TOC.WMV
      @Alternate Data Stream - 64 bytes -> C:\Users\Nicky\Documents\Kefalonia_0016.avi:TOC.WMV
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    ====================================================================

    Last scans...

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

      NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
  21. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    OTL log
    ******

    All processes killed
    ========== OTL ==========
    Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{4E7BD74F-2B8D-469E-A6FB-F862B587B57D} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-A6FB-F862B587B57D}\ not found.
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Mobile Partner deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08E730A4-FB02-45BD-A900-01E4AD8016F6}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08E730A4-FB02-45BD-A900-01E4AD8016F6}\ not found.
    Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
    C:\Windows\Downloaded Program Files\gp.inf not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
    C:\Users\Nicky\Documents\Wimbledon_0005.jpg~RF25972c.TMP deleted successfully.
    ADS C:\Users\Nicky\Documents\stuff_0022.avi:TOC.WMV deleted successfully.
    ADS C:\Users\Nicky\Documents\stuff_0018.avi:TOC.WMV deleted successfully.
    ADS C:\Users\Nicky\Documents\stuff_0017.avi:TOC.WMV deleted successfully.
    ADS C:\Users\Nicky\Documents\Kefalonia_0037.avi:TOC.WMV deleted successfully.
    ADS C:\Users\Nicky\Documents\Kefalonia_0017.avi:TOC.WMV deleted successfully.
    ADS C:\Users\Nicky\Documents\Kefalonia_0016.avi:TOC.WMV deleted successfully.
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware\\DisableMonitoring deleted successfully.
    ========== FILES ==========
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Nicky
    ->Temp folder emptied: 1017945 bytes
    ->Temporary Internet Files folder emptied: 103890972 bytes
    ->Java cache emptied: 440629 bytes
    ->Google Chrome cache emptied: 61003421 bytes
    ->Flash cache emptied: 9481 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 223 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 875296 bytes

    Total Files Cleaned = 159.00 mb


    [EMPTYFLASH]

    User: All Users

    User: Default

    User: Default User

    User: Nicky
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb


    OTL by OldTimer - Version 3.2.17.2 log created on 11062010_080849

    Files\Folders moved on Reboot...

    Registry entries deleted on Reboot...
     
  22. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    Temporary File Cleaner - complete
     
  23. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    ESET log
    ******


    C:\Qoobox\Quarantine\C\Users\Nicky\AppData\Roaming\bbxnz.exe.vir Win32/Fbphotofake.A worm
    C:\Qoobox\Quarantine\C\Users\Nicky\AppData\Roaming\xxkmc.exe.vir Win32/Agent.RST trojan
     
  24. brothwpj79

    brothwpj79 TS Rookie Topic Starter Posts: 21

    Unable to download Security Check (web page not available)
     
  25. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    It's working for me. Try again.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...