TechSpot

Remaining virus and trojan horse infections I can't elimate

By goleftfast
Jan 5, 2012
  1. Need help eliminating the final virus and trojan's on my laptop please. I followed your 5-step removal instructions and the scans no longer pickup any issues, but I believe I'm still infected due to hang ups and not being able to connect to the internet via wireless or wired any longer.


    Malwarebytes Anti-Malware 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.02.01

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Owner :: OWNER-830FA6330 [administrator]

    1/3/2012 7:09:45 PM
    mbam-log-2012-01-03 (19-09-45).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 239101
    Time elapsed: 30 minute(s), 25 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)

    Other logs to be posted in next reply
     
  2. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    gmer.log

    GMER log part 1.....

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-01-04 20:05:41
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD3200BEVT-11ZCT0 rev.11.01A11
    Running: 2f0ttoz1.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwpdrpob.sys

    ---- System - GMER 1.0.15 ----

    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF74C24C0]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF74C24D4]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF74C2500]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF74C2556]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF74C24AC]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF74C2484]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF74C2498]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF74C24EA]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF74C252C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF74C2516]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF74C2580]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF74C256C]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF74C2540]
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
    Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject
    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF64ABEBF]
    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00A90000
    .text C:\WINDOWS\system32\svchost.exe[404] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00A90036
    .text C:\WINDOWS\system32\svchost.exe[404] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A90025
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80000
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A800A1
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80086
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80075
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80FAC
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A8003D
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A80F74
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A800BC
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A80F34
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A800D7
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80F23
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80058
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80011
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A80F9B
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A8002C
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80FDB
    .text C:\WINDOWS\system32\svchost.exe[404] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A80F4F
    .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AD0FC3
    .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AD0065
    .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AD0FD4
    .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AD0FE5
    .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AD004A
    .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AD0000
    .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AD0FA8
    .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CD, 88] {INT 0x88}
    .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AD002F
    .text C:\WINDOWS\system32\svchost.exe[404] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AC0049
    .text C:\WINDOWS\system32\svchost.exe[404] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AC0038
    .text C:\WINDOWS\system32\svchost.exe[404] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AC0FE3
    .text C:\WINDOWS\system32\svchost.exe[404] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AC0000
    .text C:\WINDOWS\system32\svchost.exe[404] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AC0FC8
    .text C:\WINDOWS\system32\svchost.exe[404] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AC001D
    .text C:\WINDOWS\system32\svchost.exe[404] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00AA000A
    .text C:\WINDOWS\system32\svchost.exe[404] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00AA001B
    .text C:\WINDOWS\system32\svchost.exe[404] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00AA0FE5
    .text C:\WINDOWS\system32\svchost.exe[404] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00AA0040
    .text C:\WINDOWS\system32\svchost.exe[404] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AB0FEF
    .text C:\WINDOWS\system32\svchost.exe[468] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CD000A
    .text C:\WINDOWS\system32\svchost.exe[468] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CD0036
    .text C:\WINDOWS\system32\svchost.exe[468] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CD0025
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00CC0FEF
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00CC0085
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00CC0F90
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00CC0FA1
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00CC005E
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00CC0043
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00CC00B1
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00CC00A0
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00CC00DD
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00CC0F44
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00CC00EE
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00CC0FB2
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00CC0014
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00CC0F7F
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00CC0FCD
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00CC0FDE
    .text C:\WINDOWS\system32\svchost.exe[468] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00CC00C2
    .text C:\WINDOWS\system32\svchost.exe[468] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D5003D
    .text C:\WINDOWS\system32\svchost.exe[468] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50073
    .text C:\WINDOWS\system32\svchost.exe[468] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D5002C
    .text C:\WINDOWS\system32\svchost.exe[468] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D5001B
    .text C:\WINDOWS\system32\svchost.exe[468] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50058
    .text C:\WINDOWS\system32\svchost.exe[468] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D5000A
    .text C:\WINDOWS\system32\svchost.exe[468] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D50FB6
    .text C:\WINDOWS\system32\svchost.exe[468] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F5, 88]
    .text C:\WINDOWS\system32\svchost.exe[468] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FC7
    .text C:\WINDOWS\system32\svchost.exe[468] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40F81
    .text C:\WINDOWS\system32\svchost.exe[468] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40F9C
    .text C:\WINDOWS\system32\svchost.exe[468] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FC8
    .text C:\WINDOWS\system32\svchost.exe[468] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FE3
    .text C:\WINDOWS\system32\svchost.exe[468] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40FAD
    .text C:\WINDOWS\system32\svchost.exe[468] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D4000C
    .text C:\WINDOWS\system32\svchost.exe[468] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00CE0000
    .text C:\WINDOWS\system32\svchost.exe[468] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00CE0FE5
    .text C:\WINDOWS\system32\svchost.exe[468] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00CE0FD4
    .text C:\WINDOWS\system32\svchost.exe[468] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00CE0FB9
    .text C:\WINDOWS\system32\svchost.exe[468] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CF0FE5
    .text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C10FEF
    .text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C10FB9
    .text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C10FD4
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F68
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C0005D
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00F83
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00040
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00F9E
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00F2B
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F3C
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00098
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00EFF
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C00EDA
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C0002F
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C00FD4
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C00F4D
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C00FC3
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C00014
    .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C00F1A
    .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BF001B
    .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BF0051
    .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BF000A
    .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BF0FD4
    .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BF0F94
    .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BF0FEF
    .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BF0FA5
    .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DF, 88]
    .text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BF0036
    .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E60FAB
    .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60036
    .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E60FD7
    .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60000
    .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60FBC
    .text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E60011
    .text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00C2000A
    .text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00C20FE5
    .text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00C20FCA
    .text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00C20FB9
    .text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50FEF
    .text C:\WINDOWS\Explorer.EXE[1208] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01710000
    .text C:\WINDOWS\Explorer.EXE[1208] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0171002C
    .text C:\WINDOWS\Explorer.EXE[1208] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01710011
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01700FEF
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01700045
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01700F50
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01700F61
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01700F72
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01700FA8
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0170006C
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01700F24
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01700EEB
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0170008E
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0170009F
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01700F8D
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0170000A
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001A4844
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01700F35
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01700FB9
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01700FCA
    .text C:\WINDOWS\Explorer.EXE[1208] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0170007D
    .text C:\WINDOWS\Explorer.EXE[1208] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01750FC3
    .text C:\WINDOWS\Explorer.EXE[1208] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01750F8D
    .text C:\WINDOWS\Explorer.EXE[1208] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01750FD4
    .text C:\WINDOWS\Explorer.EXE[1208] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0175000A
    .text C:\WINDOWS\Explorer.EXE[1208] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0175004A
    .text C:\WINDOWS\Explorer.EXE[1208] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01750FE5
    .text C:\WINDOWS\Explorer.EXE[1208] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 01750FA8
    .text C:\WINDOWS\Explorer.EXE[1208] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [95, 89]
    .text C:\WINDOWS\Explorer.EXE[1208] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0175002F
    .text C:\WINDOWS\Explorer.EXE[1208] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0174006C
    .text C:\WINDOWS\Explorer.EXE[1208] msvcrt.dll!system 77C293C7 5 Bytes JMP 01740FD7
    .text C:\WINDOWS\Explorer.EXE[1208] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0174002C
    .text C:\WINDOWS\Explorer.EXE[1208] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01740000
    .text C:\WINDOWS\Explorer.EXE[1208] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0174003D
    .text C:\WINDOWS\Explorer.EXE[1208] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01740011
    .text C:\WINDOWS\Explorer.EXE[1208] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 01720FEF
    .text C:\WINDOWS\Explorer.EXE[1208] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 01720FDE
    .text C:\WINDOWS\Explorer.EXE[1208] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 01720FCD
    .text C:\WINDOWS\Explorer.EXE[1208] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 01720FB2
    .text C:\WINDOWS\Explorer.EXE[1208] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01730FEF
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 624199A1 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419A63 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
    .text C:\WINDOWS\system32\services.exe[1504] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00FE0FE5
    .text C:\WINDOWS\system32\services.exe[1504] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00FE0FCA
    .text C:\WINDOWS\system32\services.exe[1504] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00FE0000
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FD0FEF
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FD0F6D
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FD006C
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FD0F92
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FD0FAF
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FD0036
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FD0F50
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FD0098
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FD00BA
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FD0F21
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FD0F10
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FD0047
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FD0FD4
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FD007D
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FD001B
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FD000A
    .text C:\WINDOWS\system32\services.exe[1504] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FD00A9
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0154002C
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0154005F
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0154001B
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01540FE5
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01540FA2
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01540000
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0154004E
    .text C:\WINDOWS\system32\services.exe[1504] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0154003D
    .text C:\WINDOWS\system32\services.exe[1504] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01530FB7
    .text C:\WINDOWS\system32\services.exe[1504] msvcrt.dll!system 77C293C7 5 Bytes JMP 01530038
    .text C:\WINDOWS\system32\services.exe[1504] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0153001D
    .text C:\WINDOWS\system32\services.exe[1504] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01530FEF
    .text C:\WINDOWS\system32\services.exe[1504] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01530FC8
    .text C:\WINDOWS\system32\services.exe[1504] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0153000C
    .text C:\WINDOWS\system32\services.exe[1504] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00FF0FE5
    .text C:\WINDOWS\system32\services.exe[1504] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00FF0FCA
    .text C:\WINDOWS\system32\services.exe[1504] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00FF0000
    .text C:\WINDOWS\system32\services.exe[1504] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00FF0011
    .text C:\WINDOWS\system32\services.exe[1504] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01520FEF
    .text C:\WINDOWS\system32\lsass.exe[1516] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E60FEF
    .text C:\WINDOWS\system32\lsass.exe[1516] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E60FD4
    .text C:\WINDOWS\system32\lsass.exe[1516] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E6000A
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D10FEF
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D10F8B
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D10080
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D10065
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D10054
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D1001E
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D10F42
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D10F53
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D10F16
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D10F27
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D100CA
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D1002F
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D10FD4
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D10F7A
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D10FB2
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D10FC3
    .text C:\WINDOWS\system32\lsass.exe[1516] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D100A5
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01500FAF
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01500047
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01500FC0
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01500000
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01500F8A
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01500FEF
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0150002C
    .text C:\WINDOWS\system32\lsass.exe[1516] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01500011
    .text C:\WINDOWS\system32\lsass.exe[1516] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 014F0F81
    .text C:\WINDOWS\system32\lsass.exe[1516] msvcrt.dll!system 77C293C7 5 Bytes JMP 014F0F9C
    .text C:\WINDOWS\system32\lsass.exe[1516] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 014F0FD2
    .text C:\WINDOWS\system32\lsass.exe[1516] msvcrt.dll!_open 77C2F566 5 Bytes JMP 014F0FEF
    .text C:\WINDOWS\system32\lsass.exe[1516] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 014F0FAD
    .text C:\WINDOWS\system32\lsass.exe[1516] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 014F000C
    .text C:\WINDOWS\system32\lsass.exe[1516] WS2_32.dll!socket 71AB4211 5 Bytes JMP 014E0000
    .text C:\WINDOWS\system32\lsass.exe[1516] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00FF0000
    .text C:\WINDOWS\system32\lsass.exe[1516] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00FF0FEF
    .text C:\WINDOWS\system32\lsass.exe[1516] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00FF0025
    .text C:\WINDOWS\system32\lsass.exe[1516] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00FF0040
    .text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00930000
    .text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0093002C
    .text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0093001B
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00920FEF
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00920062
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00920051
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00920040
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0092002F
    .text C:\WINDOWS\system32\svchost.exe[1756]


    .
     
  3. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    gmer.log part 2

    GMER log part 2

    kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00920FA8
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00920095
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00920084
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00920F32
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009200C1
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00920F21
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00920F83
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00920FDE
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 001A4844
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00920073
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00920014
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00920FCD
    .text C:\WINDOWS\system32\svchost.exe[1756] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009200B0
    .text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 010A001B
    .text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 010A0F79
    .text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 010A0FCA
    .text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 010A0FE5
    .text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 010A0F94
    .text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 010A0000
    .text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 010A0036
    .text C:\WINDOWS\system32\svchost.exe[1756] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 010A0FAF
    .text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01090042
    .text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!system 77C293C7 5 Bytes JMP 01090027
    .text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01090FC1
    .text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01090FE3
    .text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01090016
    .text C:\WINDOWS\system32\svchost.exe[1756] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01090FD2
    .text C:\WINDOWS\system32\svchost.exe[1756] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00940FE5
    .text C:\WINDOWS\system32\svchost.exe[1756] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00940FCA
    .text C:\WINDOWS\system32\svchost.exe[1756] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00940FAF
    .text C:\WINDOWS\system32\svchost.exe[1756] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00940F9E
    .text C:\WINDOWS\system32\svchost.exe[1756] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00950000
    .text C:\WINDOWS\system32\svchost.exe[1836] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F70FEF
    .text C:\WINDOWS\system32\svchost.exe[1836] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F70FD4
    .text C:\WINDOWS\system32\svchost.exe[1836] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F7000A
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F60FEF
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F60078
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F60F83
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F60F94
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F60FA5
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F60047
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F60F4D
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F60F68
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F60F32
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F600CB
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F60F17
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F60FC0
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F6000A
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F60089
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F60036
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F60025
    .text C:\WINDOWS\system32\svchost.exe[1836] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F600BA
    .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FD1
    .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0FA2
    .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF002C
    .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0011
    .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0069
    .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0000
    .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF0058
    .text C:\WINDOWS\system32\svchost.exe[1836] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0047
    .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0047
    .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0022
    .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FC6
    .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0000
    .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0011
    .text C:\WINDOWS\system32\svchost.exe[1836] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FD7
    .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00F80000
    .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00F8001B
    .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00F8002C
    .text C:\WINDOWS\system32\svchost.exe[1836] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00F80FDB
    .text C:\WINDOWS\system32\svchost.exe[1836] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F90000
    .text C:\WINDOWS\System32\svchost.exe[2036] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F60FEF
    .text C:\WINDOWS\System32\svchost.exe[2036] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F60FC3
    .text C:\WINDOWS\System32\svchost.exe[2036] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F60FDE
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50000
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50044
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50F59
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F76
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50033
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50022
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50F03
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50055
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F5009C
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50081
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F500AD
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F50F9B
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F50FDB
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0090000C
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F50F34
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F50FB6
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F50011
    .text C:\WINDOWS\System32\svchost.exe[2036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F50066
    .text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 038E0014
    .text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 038E0F61
    .text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 038E0FC3
    .text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 038E0FD4
    .text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 038E0F72
    .text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 038E0FEF
    .text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 038E0F8D
    .text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [AE, 8B]
    .text C:\WINDOWS\System32\svchost.exe[2036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 038E0FA8
    .text C:\WINDOWS\System32\svchost.exe[2036] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 03C4000A
    .text C:\WINDOWS\System32\svchost.exe[2036] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 03C5000A
    .text C:\WINDOWS\System32\svchost.exe[2036] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 03C6000A
    .text C:\WINDOWS\System32\svchost.exe[2036] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00AD000A
    .text C:\WINDOWS\System32\svchost.exe[2036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 038D0FB9
    .text C:\WINDOWS\System32\svchost.exe[2036] msvcrt.dll!system 77C293C7 5 Bytes JMP 038D0044
    .text C:\WINDOWS\System32\svchost.exe[2036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 038D0029
    .text C:\WINDOWS\System32\svchost.exe[2036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 038D0FEF
    .text C:\WINDOWS\System32\svchost.exe[2036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 038D0FD4
    .text C:\WINDOWS\System32\svchost.exe[2036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 038D000C
    .text C:\WINDOWS\System32\svchost.exe[2036] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 0244000A
    .text C:\WINDOWS\System32\svchost.exe[2036] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 02440FE5
    .text C:\WINDOWS\System32\svchost.exe[2036] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 0244001B
    .text C:\WINDOWS\System32\svchost.exe[2036] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 02440036
    .text C:\WINDOWS\System32\svchost.exe[2036] WS2_32.dll!socket 71AB4211 5 Bytes JMP 038C0FEF
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 38E50FE5
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 38E5001B
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 38E5000A
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 38E40000
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 38E40F79
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 38E40078
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 38E40F9E
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 38E4005B
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 38E40025
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 38E40F30
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 38E40F4D
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 38E4009D
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 38E40F04
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 38E400AE
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 38E40040
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 38E40FE5
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 38E40F5E
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 38E40FC3
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 38E40FD4
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 38E40F15
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C80040
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C80FB5
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C8001B
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C80000
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C80FC6
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C80FD7
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C90022
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C9007A
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C90011
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C90FE5
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C9005F
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C90000
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C90044
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C90033
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00C60FEF
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00C60014
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00C60FDE
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00C60039
    .text c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe[2068] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70000
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 34FD0FEF
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 34FD0FC3
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 34FD0FD4
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 34FC0000
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 34FC0069
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 34FC0F74
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 34FC0F8F
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 34FC0058
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 34FC0022
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 34FC0F3E
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 34FC0F4F
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 34FC0F01
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 34FC0F12
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 34FC00B5
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 34FC003D
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 34FC0011
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 34FC007A
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 34FC0FC0
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 34FC0FD1
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 34FC0F2D
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 34F90044
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] msvcrt.dll!system 77C293C7 5 Bytes JMP 34F90033
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 34F90022
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] msvcrt.dll!_open 77C2F566 5 Bytes JMP 34F90000
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 34F90FCD
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 34F90011
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 34FB0FC0
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 34FB0F79
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 34FB0FDB
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 34FB0011
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 34FB0F8A
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 34FB0000
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 34FB0FA5
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1B, BD]
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 34FB002C
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 34F70FE5
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 34F70000
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 34F7001B
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 34F70FC0
    .text c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[2220] WS2_32.dll!socket 71AB4211 5 Bytes JMP 34F80FEF
    .text C:\WINDOWS\system32\svchost.exe[3016] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00D90000
    .text C:\WINDOWS\system32\svchost.exe[3016] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D90011
    .text C:\WINDOWS\system32\svchost.exe[3016] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D90FDB
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D80FEF
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D8006F
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D80054
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D80F86
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D80043
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D8001E
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D800B1
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D80094
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D800EE
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D800DD
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D80F3A
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D80F97
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D80FDE
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D80F69
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D80FA8
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D80FB9
    .text C:\WINDOWS\system32\svchost.exe[3016] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D800C2
    .text C:\WINDOWS\system32\svchost.exe[3016] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D70036
    .text C:\WINDOWS\system32\svchost.exe[3016] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D70FAF
    .text C:\WINDOWS\system32\svchost.exe[3016] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D7001B
    .text C:\WINDOWS\system32\svchost.exe[3016] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D70FE5
    .text C:\WINDOWS\system32\svchost.exe[3016] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D7006C
    .text C:\WINDOWS\system32\svchost.exe[3016] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D70000
    .text C:\WINDOWS\system32\svchost.exe[3016] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D70FCA
    .text C:\WINDOWS\system32\svchost.exe[3016] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F7, 88]
    .text C:\WINDOWS\system32\svchost.exe[3016] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D70047
    .text C:\WINDOWS\system32\svchost.exe[3016] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D60FA1
    .text C:\WINDOWS\system32\svchost.exe[3016] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D6002C
    .text C:\WINDOWS\system32\svchost.exe[3016] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D60FD7
    .text C:\WINDOWS\system32\svchost.exe[3016] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D60000
    .text C:\WINDOWS\system32\svchost.exe[3016] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D60FC6
    .text C:\WINDOWS\system32\svchost.exe[3016] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D60011
    .text C:\WINDOWS\system32\svchost.exe[3016] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00D50FEF
    .text C:\WINDOWS\system32\svchost.exe[3016] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 00D5000A
    .text C:\WINDOWS\system32\svchost.exe[3016] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00D50025
    .text C:\WINDOWS\system32\svchost.exe[3016] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00D50036

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\mfevtps.exe[1920] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [0040A4B0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
    IAT C:\WINDOWS\system32\mfevtps.exe[1920] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [0040A510] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864E72C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 864E72C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864E72C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 864E72C6

    AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1409082233-1417001333-682003330-1003@RefCount 1

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\$NtUninstallKB55942$\2663269432 0 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\bckfg.tmp 942 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\cfg.ini 208 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\Desktop.ini 4608 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\keywords 312 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\kwrd.dll 223744 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\L 0 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\L\jstbznpr 52480 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\lsflt7.ver 5176 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\U 0 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\U\00000001.$ 0 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\U\00000001.@ 2048 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\U\00000002.@ 224768 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\U\00000004.@ 1024 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\U\80000000.@ 11264 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\U\80000004.@ 12800 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\U\80000032.$ 0 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2663269432\U\80000032.@ 97792 bytes
    File C:\WINDOWS\$NtUninstallKB55942$\2824895661 0 bytes

    ---- EOF - GMER 1.0.15 ----
     
  4. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    DDS.txt

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Owner at 20:05:59 on 2012-01-04
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.461 [GMT -6:00]
    .
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled*
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\FCyberAlert\Syslogin.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Synaptics\SynTP\Toshiba.exe
    svchost.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\WINDOWS\system32\mfevtps.exe
    c:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Documents and Settings\Owner\Desktop\2f0ttoz1.exe
    c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    C:\Program Files\McAfee.com\Agent\mcagent.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.yahoo.com/
    uSearch Page = hxxp://www.google.com
    uWindow Title = Windows Internet Explorer provided by Microsoft
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    uURLSearchHooks: H - No File
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20111226160148.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [SetDefPrt] c:\program files\brother\brmfl04g\BrStDvPt.exe
    mRun: [ControlCenter2.0] c:\program files\brother\controlcenter2\brctrcen.exe /autorun
    mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe
    mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe
    mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
    mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [FamilyCyberAlert] c:\windows\system32\fcyberalert\Syslogin.exe
    dPolicies-explorer: NoDesktop = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    LSP: mswsock.dll
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\progra~1\mcafee\msc\McSnIePl.dll
    Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
    Notify: igfxcui - igfxdev.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2011-12-24 464176]
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-12-24 89792]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-24 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-24 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-24 214904]
    R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-24 214904]
    R2 McShield;McAfee McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-12-24 166288]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-12-24 160608]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-12-24 150856]
    R2 MSSQL$SOSHOME309;SQL Server (SOSHOME309);c:\program files\microsoft sql server\mssql.2\mssql\binn\sqlservr.exe [2010-12-10 29293408]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-12-24 57600]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-12-24 180816]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-12-24 338176]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-12-24 83856]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-28 135664]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\d:\programs\lavalys\everest corporate edition\kerneld.wnt --> d:\programs\lavalys\everest corporate edition\kerneld.wnt [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-28 135664]
    S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [2011-12-26 203080]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
    S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-12-24 59456]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-12-24 83856]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-12-24 87656]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
    S4 McOobeSv;McAfee OOBE Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-12-24 214904]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\microsoft sql server\100\shared\sqladhlp.exe [2009-7-22 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [2009-3-30 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\microsoft sql server\mssql10.sqlexpress\mssql\binn\SQLAGENT.EXE [2009-3-30 366936]
    .
    =============== Created Last 30 ================
    .
    2012-01-02 21:44:04 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
    2012-01-02 21:42:45 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-02 21:42:45 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
    2012-01-02 15:46:05 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
    2012-01-02 15:46:05 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2012-01-02 15:45:50 94297 ----a-w- c:\windows\system32\SynTPAPI.dll
    2012-01-02 15:45:50 81920 ----a-w- c:\windows\system32\SynTPCo2.dll
    2012-01-02 15:45:50 69721 ----a-w- c:\windows\system32\SynTPFcs.dll
    2012-01-02 15:45:50 191936 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2012-01-02 15:45:49 82012 ----a-w- c:\windows\system32\SynCOM.dll
    2012-01-02 15:45:49 114688 ----a-w- c:\windows\system32\SynCtrl.dll
    2012-01-02 15:45:48 -------- d-----w- c:\program files\Synaptics
    2012-01-02 15:45:06 -------- d-----w- C:\Touchpad.temp
    2012-01-02 15:02:28 947 ----a-w- c:\documents and settings\all users\application data\ykhzaaa.tmp
    2012-01-02 15:01:48 837 ----a-w- c:\documents and settings\all users\application data\clhzaaa.tmp
    2012-01-02 15:01:43 821 ----a-w- c:\documents and settings\all users\application data\blhzaaa.tmp
    2012-01-02 15:00:39 819 ----a-w- c:\documents and settings\all users\application data\alhzaaa.tmp
    2012-01-02 15:00:33 828 ----a-w- c:\documents and settings\all users\application data\zkhzaaa.tmp
    2012-01-02 06:57:37 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-12-31 20:42:34 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-31 20:42:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-31 20:12:11 -------- d-----w- c:\windows\pss
    2011-12-31 05:09:19 -------- d-sh--w- C:\found.000
    2011-12-31 01:16:21 -------- d-----w- C:\$AVG
    2011-12-25 21:51:05 -------- d-----w- C:\e
    2011-12-25 21:51:01 -------- d-----w- C:\Data
    2011-12-25 05:34:49 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-12-25 05:34:19 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-12-25 05:34:18 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-12-25 05:34:17 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-12-25 05:34:15 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-12-25 05:34:12 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-12-25 05:34:11 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-12-25 05:34:08 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-12-25 05:33:18 -------- d-----w- c:\program files\common files\Mcafee
    2011-12-25 05:33:15 -------- d-----w- c:\program files\McAfee.com
    2011-12-25 05:32:33 -------- d-----w- c:\program files\McAfee
    2011-12-25 05:24:26 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-12-25 05:24:11 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-12-25 05:24:06 150856 ----a-w- c:\windows\system32\mfevtps.exe
    2011-12-25 05:24:06 148520 ----a-r- c:\windows\system32\mfevtps.exe.8a8a.deleteme
    2011-12-25 05:13:26 148520 ----a-r- c:\windows\system32\mfevtps.exe.e1e3.deleteme
    2011-12-19 18:18:25 -------- d-----w- c:\windows\system32\LogFiles
    .
    ==================== Find3M ====================
    .
    2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD3200BEVT-11ZCT0 rev.11.01A11 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x864E749F]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x864ee738]; MOV EAX, [0x864ee8ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x864E72C6
    user & kernel MBR OK
    .
    ============= FINISH: 20:09:39.71 ===============
     
  5. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    Attach.txt file

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 2/19/2010 9:26:01 AM
    System Uptime: 1/4/2012 7:16:15 PM (1 hours ago)
    .
    Motherboard: Intel Corporation | | MPAD-MSAE Customer Reference Boards
    Processor: Genuine Intel(R) CPU T2300 @ 1.66GHz | U1 | 980/mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 298 GiB total, 229.385 GiB free.
    D: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP2: 12/31/2011 4:52:15 PM - System Checkpoint
    RP3: 1/1/2012 5:35:54 PM - System Checkpoint
    RP4: 1/2/2012 5:26:09 PM - Removed Acrobat.com
    RP5: 1/2/2012 6:18:51 PM - Removed Bonjour
    RP6: 1/2/2012 6:35:03 PM - Removed GoToMyPC
    RP7: 1/3/2012 7:47:24 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    µTorrent
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.2
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Atheros Driver Installation Program
    Brother MFL-Pro Suite
    Business Contact Manager for Outlook 2007 SP2
    CCleaner
    Crystal Reports Basic Runtime for Visual Studio 2008
    Garmin Lifetime Updater
    Google Chrome
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB942288-v3)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB958655-v2)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Image Zone 4.0
    HP Software Update
    Intel(R) Graphics Media Accelerator Driver
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 22
    Malwarebytes Anti-Malware version 1.60.0.1800
    McAfee Internet Security
    McAfee Security Scan Plus
    Microsoft .NET Framework 1.0 Hotfix (KB2572066)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft .NET Framework 4 Extended
    Microsoft .NET Framework 4 Multi-Targeting Pack
    Microsoft Application Error Reporting
    Microsoft Help Viewer 1.0
    Microsoft Silverlight
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
    Microsoft SQL Server 2005 Express Edition (SOSHOME309)
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server 2008
    Microsoft SQL Server 2008 Browser
    Microsoft SQL Server 2008 Common Files
    Microsoft SQL Server 2008 Database Engine Services
    Microsoft SQL Server 2008 Database Engine Shared
    Microsoft SQL Server 2008 Native Client
    Microsoft SQL Server 2008 R2 Management Objects
    Microsoft SQL Server 2008 RsFx Driver
    Microsoft SQL Server 2008 Setup Support Files
    Microsoft SQL Server Compact 3.5 SP2 ENU
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server System CLR Types
    Microsoft SQL Server VSS Writer
    Microsoft Visual C# 2010 Express - ENU
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Microsoft Visual Studio 2010 ADO.NET Entity Framework Tools
    MobileMe Control Panel
    MPlayer (remove only)
    MSN
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser
    OpenOffice.org 3.3
    Overland
    Photosmart 320,370,7400,8100,8400 Series
    PS8400
    PSPrinters06
    QFolder
    QuickTime
    Realtek High Definition Audio Driver
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
    Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
    Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
    Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
    Security Update for Microsoft Visual C# 2010 Express - ENU (KB2251489)
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2183461)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360131)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2416400)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2482017)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2497640)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2510581)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982381)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Service Pack 1 for SQL Server 2008 (KB968369)
    SPANISH in 10 minutes a day®
    Sql Server Customer Experience Improvement Program
    Success
    SUPERAntiSpyware
    Switched-On Schoolhouse 2011 - Home Edition
    Switched-On Schoolhouse 2011 - Home Edition Database
    Switched-On Schoolhouse 2011 - Home Edition Tutorials
    Synaptics Pointing Device Driver
    TeenCoder - Windows Programming
    Texas Instruments PCIxx21/x515/xx12 drivers.
    TIPCI
    TOSHIBA Software Modem
    TrayApp
    Unload
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    Visual Studio 2010 Tools for SQL Server Compact 3.5 SP2 ENU
    WebFldrs XP
    WebReg
    Windows Internet Explorer 8
    Windows Media Format Runtime
    Windows Media Player 10
    Windows XP Media Center Edition 2005 KB973768
    Windows XP Service Pack 3
    .
    ==== Event Viewer Messages From Past Week ========
    .
    12/31/2011 2:41:34 PM, error: Service Control Manager [7034] - The Media Center Scheduler Service service terminated unexpectedly. It has done this 1 time(s).
    12/31/2011 2:16:52 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
    12/31/2011 2:16:52 PM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/31/2011 2:16:51 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
    12/31/2011 2:11:55 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    12/31/2011 2:11:52 PM, error: Service Control Manager [7000] - The McAfee SiteAdvisor Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/31/2011 2:11:51 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the McAfee SiteAdvisor Service service to connect.
    12/31/2011 11:26:31 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000007F' while processing the file 'desktop.ini' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
    1/4/2012 7:18:31 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the McAfee SiteAdvisor Service service.
    1/4/2012 1:55:18 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAfee SiteAdvisor Service with arguments "" in order to run the server: {5A90F5EE-16B8-4C2A-81B3-FD5329BA477C}
    1/3/2012 5:01:11 PM, error: Service Control Manager [7034] - The Pml Driver HPZ12 service terminated unexpectedly. It has done this 1 time(s).
    1/3/2012 11:49:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAWFwk with arguments "" in order to run the server: {7D555A20-6721-4C54-9713-6A0372868C62}
    1/3/2012 11:49:39 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McAWFwk with arguments "" in order to run the server: {77B97C6A-CD4E-452C-8D99-08A92F1D8C83}
    1/3/2012 11:47:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL
    1/2/2012 5:18:11 PM, error: Service Control Manager [7034] - The GoToMyPC service terminated unexpectedly. It has done this 1 time(s).
    1/2/2012 5:17:32 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the SQL Server Browser service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
    1/2/2012 5:17:23 PM, error: Service Control Manager [7034] - The Media Center Receiver Service service terminated unexpectedly. It has done this 1 time(s).
    1/2/2012 5:17:03 PM, error: Service Control Manager [7034] - The Business Contact Manager SQL Server Startup Service service terminated unexpectedly. It has done this 1 time(s).
    1/2/2012 5:16:43 PM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
    1/2/2012 5:16:40 PM, error: Service Control Manager [7034] - The SQL Server (SQLEXPRESS) service terminated unexpectedly. It has done this 1 time(s).
    1/2/2012 5:16:36 PM, error: Service Control Manager [7034] - The SQL Server (SOSHOME309) service terminated unexpectedly. It has done this 1 time(s).
    1/2/2012 5:16:32 PM, error: Service Control Manager [7031] - The SQL Server Browser service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/2/2012 3:48:38 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/2/2012 3:47:43 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer ME-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{154E18E5-570D-4328-AE8. The master browser is stopping or an election is being forced.
    1/2/2012 12:44:21 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips i8042prt intelppm
    1/2/2012 12:43:27 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    1/2/2012 12:42:44 AM, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 0013024F7554 has been denied by the DHCP server 192.168.33.1 (The DHCP Server sent a DHCPNACK message).
    1/2/2012 12:06:31 AM, error: Service Control Manager [7034] - The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).
    1/2/2012 12:06:31 AM, error: Service Control Manager [7031] - The McAfee VirusScan Announcer service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/2/2012 12:06:31 AM, error: Service Control Manager [7031] - The McAfee Services service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/2/2012 12:06:31 AM, error: Service Control Manager [7031] - The McAfee Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/2/2012 12:06:31 AM, error: Service Control Manager [7031] - The McAfee Personal Firewall Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/2/2012 12:06:31 AM, error: Service Control Manager [7031] - The McAfee Network Agent service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/2/2012 12:06:31 AM, error: Service Control Manager [7031] - The McAfee Anti-Spam Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    1/2/2012 1:21:05 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaiAnn with arguments "" in order to run the server: {DC7EF8E1-824F-4110-AB43-1604DA9B4F40}
    1/2/2012 1:06:06 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service McNaSvc with arguments "" in order to run the server: {24F616A1-B755-4053-8018-C3425DC8B68A}
    1/2/2012 1:04:03 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    1/1/2012 6:25:01 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    1/1/2012 4:25:01 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    1/1/2012 3:25:01 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    1/1/2012 2:55:01 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    1/1/2012 2:40:01 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    1/1/2012 11:23:52 PM, error: Service Control Manager [7034] - The Yahoo! Updater service terminated unexpectedly. It has done this 1 time(s).
    1/1/2012 11:23:28 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: i8042prt
    1/1/2012 11:23:28 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the SQL Server (SQLEXPRESS) service to connect.
    1/1/2012 11:23:28 PM, error: Service Control Manager [7000] - The SQL Server (SQLEXPRESS) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    1/1/2012 11:19:43 PM, error: Dhcp [1002] - The IP address lease 192.168.2.5 for the Network Card with network address 0013024F7554 has been denied by the DHCP server 192.168.33.1 (The DHCP Server sent a DHCPNACK message).
    1/1/2012 11:14:26 PM, error: Service Control Manager [7034] - The Terminal Services service terminated unexpectedly. It has done this 1 time(s).
    1/1/2012 11:14:26 PM, error: Service Control Manager [7031] - The DCOM Server Process Launcher service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Reboot the machine.
    1/1/2012 10:25:02 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    .
    ==== End Of File ===========================
     
  6. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================================

    Download TDSSKiller and save it to your desktop.
    • Doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  7. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    TDSSKiller log file

    19:33:05.0031 2348 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
    19:33:05.0046 2348 ============================================================
    19:33:05.0046 2348 Current date / time: 2012/01/05 19:33:05.0046
    19:33:05.0046 2348 SystemInfo:
    19:33:05.0046 2348
    19:33:05.0046 2348 OS Version: 5.1.2600 ServicePack: 3.0
    19:33:05.0046 2348 Product type: Workstation
    19:33:05.0046 2348 ComputerName: OWNER-830FA6330
    19:33:05.0046 2348 UserName: Owner
    19:33:05.0046 2348 Windows directory: C:\WINDOWS
    19:33:05.0046 2348 System windows directory: C:\WINDOWS
    19:33:05.0046 2348 Processor architecture: Intel x86
    19:33:05.0046 2348 Number of processors: 2
    19:33:05.0046 2348 Page size: 0x1000
    19:33:05.0046 2348 Boot type: Normal boot
    19:33:05.0046 2348 ============================================================
    19:33:06.0484 2348 Initialize success
    19:33:13.0140 1724 ============================================================
    19:33:13.0140 1724 Scan started
    19:33:13.0140 1724 Mode: Manual;
    19:33:13.0140 1724 ============================================================
    19:33:14.0859 1724 Abiosdsk - ok
    19:33:14.0859 1724 abp480n5 - ok
    19:33:14.0921 1724 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    19:33:14.0921 1724 ACPI - ok
    19:33:14.0953 1724 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    19:33:14.0953 1724 ACPIEC - ok
    19:33:14.0968 1724 adpu160m - ok
    19:33:15.0000 1724 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    19:33:15.0031 1724 aec - ok
    19:33:15.0078 1724 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    19:33:15.0109 1724 AFD - ok
    19:33:15.0187 1724 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
    19:33:15.0265 1724 AgereSoftModem - ok
    19:33:15.0281 1724 Aha154x - ok
    19:33:15.0281 1724 aic78u2 - ok
    19:33:15.0296 1724 aic78xx - ok
    19:33:15.0312 1724 AliIde - ok
    19:33:15.0328 1724 amsint - ok
    19:33:15.0375 1724 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    19:33:15.0406 1724 Arp1394 - ok
    19:33:15.0421 1724 asc - ok
    19:33:15.0437 1724 asc3350p - ok
    19:33:15.0453 1724 asc3550 - ok
    19:33:15.0500 1724 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    19:33:15.0515 1724 AsyncMac - ok
    19:33:15.0546 1724 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    19:33:15.0562 1724 atapi - ok
    19:33:15.0562 1724 Atdisk - ok
    19:33:15.0609 1724 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    19:33:15.0640 1724 Atmarpc - ok
    19:33:15.0687 1724 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    19:33:15.0703 1724 audstub - ok
    19:33:15.0750 1724 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    19:33:15.0765 1724 Beep - ok
    19:33:15.0828 1724 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\Drivers\BrScnUsb.sys
    19:33:15.0843 1724 BrScnUsb - ok
    19:33:15.0890 1724 BrSerIf (d48c13f4a409aee8dafaddac81e34557) C:\WINDOWS\system32\Drivers\BrSerIf.sys
    19:33:15.0906 1724 BrSerIf - ok
    19:33:15.0921 1724 BrUsbSer (8fa0ac830a8312912a3aa0c0431cba0d) C:\WINDOWS\system32\Drivers\BrUsbSer.sys
    19:33:15.0953 1724 BrUsbSer - ok
    19:33:15.0984 1724 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    19:33:16.0000 1724 cbidf2k - ok
    19:33:16.0015 1724 cd20xrnt - ok
    19:33:16.0046 1724 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    19:33:16.0062 1724 Cdaudio - ok
    19:33:16.0125 1724 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    19:33:16.0125 1724 Cdfs - ok
    19:33:16.0140 1724 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    19:33:16.0171 1724 Cdrom - ok
    19:33:16.0203 1724 cfwids (1dcb5209601a70e36c70fe8d197d62cb) C:\WINDOWS\system32\drivers\cfwids.sys
    19:33:16.0234 1724 cfwids - ok
    19:33:16.0234 1724 Changer - ok
    19:33:16.0296 1724 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    19:33:16.0296 1724 CmBatt - ok
    19:33:16.0312 1724 CmdIde - ok
    19:33:16.0343 1724 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    19:33:16.0343 1724 Compbatt - ok
    19:33:16.0359 1724 Cpqarray - ok
    19:33:16.0390 1724 dac2w2k - ok
    19:33:16.0390 1724 dac960nt - ok
    19:33:16.0421 1724 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    19:33:16.0421 1724 Disk - ok
    19:33:16.0484 1724 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    19:33:16.0593 1724 dmboot - ok
    19:33:16.0609 1724 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    19:33:16.0609 1724 dmio - ok
    19:33:16.0609 1724 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    19:33:16.0625 1724 dmload - ok
    19:33:16.0671 1724 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    19:33:16.0687 1724 DMusic - ok
    19:33:16.0718 1724 dpti2o - ok
    19:33:16.0750 1724 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    19:33:16.0781 1724 drmkaud - ok
    19:33:16.0828 1724 E100B (ac9cf17ee2ae003c98eb4f5336c38058) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    19:33:16.0828 1724 E100B - ok
    19:33:16.0859 1724 EverestDriver - ok
    19:33:16.0875 1724 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    19:33:16.0890 1724 Fastfat - ok
    19:33:16.0906 1724 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    19:33:16.0921 1724 Fdc - ok
    19:33:16.0953 1724 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    19:33:16.0984 1724 Fips - ok
    19:33:17.0000 1724 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    19:33:17.0015 1724 Flpydisk - ok
    19:33:17.0046 1724 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    19:33:17.0062 1724 FltMgr - ok
    19:33:17.0093 1724 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    19:33:17.0109 1724 Fs_Rec - ok
    19:33:17.0125 1724 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    19:33:17.0125 1724 Ftdisk - ok
    19:33:17.0140 1724 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    19:33:17.0171 1724 GEARAspiWDM - ok
    19:33:17.0250 1724 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    19:33:17.0281 1724 Gpc - ok
    19:33:17.0593 1724 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    19:33:17.0593 1724 HDAudBus - ok
    19:33:17.0734 1724 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    19:33:17.0765 1724 HidUsb - ok
    19:33:17.0812 1724 hpn - ok
    19:33:17.0843 1724 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    19:33:17.0875 1724 HPZid412 - ok
    19:33:17.0875 1724 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    19:33:17.0890 1724 HPZipr12 - ok
    19:33:17.0937 1724 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    19:33:17.0953 1724 HPZius12 - ok
    19:33:18.0000 1724 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    19:33:18.0000 1724 HTTP - ok
    19:33:18.0015 1724 i2omgmt - ok
    19:33:18.0031 1724 i2omp - ok
    19:33:18.0078 1724 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    19:33:18.0093 1724 i8042prt - ok
    19:33:18.0312 1724 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    19:33:18.0515 1724 ialm - ok
    19:33:18.0625 1724 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    19:33:18.0656 1724 Imapi - ok
    19:33:18.0687 1724 ini910u - ok
    19:33:18.0875 1724 IntcAzAudAddService (a30685283f90ae02f1cd50972c6065e3) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    19:33:18.0953 1724 IntcAzAudAddService - ok
    19:33:18.0953 1724 IntelIde - ok
    19:33:19.0015 1724 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    19:33:19.0015 1724 intelppm - ok
    19:33:19.0046 1724 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    19:33:19.0062 1724 Ip6Fw - ok
    19:33:19.0093 1724 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    19:33:19.0109 1724 IpFilterDriver - ok
    19:33:19.0125 1724 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    19:33:19.0156 1724 IpInIp - ok
    19:33:19.0187 1724 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    19:33:19.0218 1724 IpNat - ok
    19:33:19.0234 1724 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    19:33:19.0265 1724 IPSec - ok
    19:33:19.0296 1724 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    19:33:19.0312 1724 IRENUM - ok
    19:33:19.0359 1724 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    19:33:19.0359 1724 isapnp - ok
    19:33:19.0390 1724 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    19:33:19.0406 1724 Kbdclass - ok
    19:33:19.0453 1724 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    19:33:19.0468 1724 kbdhid - ok
    19:33:19.0500 1724 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    19:33:19.0531 1724 kmixer - ok
    19:33:19.0546 1724 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    19:33:19.0546 1724 KSecDD - ok
    19:33:19.0578 1724 lbrtfdc - ok
    19:33:19.0687 1724 mfeapfk (36b47b1e9c537f8f2b4481084b8f7d22) C:\WINDOWS\system32\drivers\mfeapfk.sys
    19:33:19.0703 1724 mfeapfk - ok
    19:33:19.0750 1724 mfeavfk (cde41293db871a75cd99eb0ce781356b) C:\WINDOWS\system32\drivers\mfeavfk.sys
    19:33:19.0781 1724 mfeavfk - ok
    19:33:19.0781 1724 mfeavfk01 - ok
    19:33:19.0812 1724 mfebopk (e22385f64bdf0ad81157479496e33c4a) C:\WINDOWS\system32\drivers\mfebopk.sys
    19:33:19.0828 1724 mfebopk - ok
    19:33:19.0890 1724 mfefirek (215666a8a85023ef019b510cbb67f678) C:\WINDOWS\system32\drivers\mfefirek.sys
    19:33:19.0921 1724 mfefirek - ok
    19:33:19.0968 1724 mfehidk (56d330981866a72f061dd16cc5004513) C:\WINDOWS\system32\drivers\mfehidk.sys
    19:33:19.0984 1724 mfehidk - ok
    19:33:20.0031 1724 mfendisk (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    19:33:20.0046 1724 mfendisk - ok
    19:33:20.0062 1724 mfendiskmp (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
    19:33:20.0062 1724 mfendiskmp - ok
    19:33:20.0109 1724 mferkdet (89b564d63c53fc0c6782ab07eea63acf) C:\WINDOWS\system32\drivers\mferkdet.sys
    19:33:20.0125 1724 mferkdet - ok
    19:33:20.0171 1724 mfetdi2k (922e64ca38e38106498fb3435a8e399d) C:\WINDOWS\system32\drivers\mfetdi2k.sys
    19:33:20.0187 1724 mfetdi2k - ok
    19:33:20.0234 1724 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
    19:33:20.0250 1724 MHNDRV - ok
    19:33:20.0312 1724 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    19:33:20.0328 1724 mnmdd - ok
    19:33:20.0375 1724 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    19:33:20.0375 1724 Modem - ok
    19:33:20.0390 1724 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    19:33:20.0421 1724 Mouclass - ok
    19:33:20.0468 1724 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    19:33:20.0484 1724 mouhid - ok
    19:33:20.0515 1724 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    19:33:20.0515 1724 MountMgr - ok
    19:33:20.0531 1724 mraid35x - ok
    19:33:20.0546 1724 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    19:33:20.0546 1724 MRxDAV - ok
    19:33:20.0625 1724 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    19:33:20.0640 1724 MRxSmb - ok
    19:33:20.0687 1724 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    19:33:20.0687 1724 Msfs - ok
    19:33:20.0718 1724 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    19:33:20.0734 1724 MSKSSRV - ok
    19:33:20.0750 1724 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    19:33:20.0765 1724 MSPCLOCK - ok
    19:33:20.0796 1724 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    19:33:20.0812 1724 MSPQM - ok
    19:33:20.0843 1724 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    19:33:20.0859 1724 mssmbios - ok
    19:33:20.0890 1724 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    19:33:20.0890 1724 Mup - ok
    19:33:20.0921 1724 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    19:33:20.0921 1724 NDIS - ok
    19:33:20.0953 1724 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    19:33:20.0968 1724 NdisTapi - ok
    19:33:21.0000 1724 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    19:33:21.0015 1724 Ndisuio - ok
    19:33:21.0031 1724 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    19:33:21.0046 1724 NdisWan - ok
    19:33:21.0093 1724 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    19:33:21.0109 1724 NDProxy - ok
    19:33:21.0125 1724 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    19:33:21.0125 1724 NetBIOS - ok
    19:33:21.0156 1724 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    19:33:21.0171 1724 NetBT - ok
    19:33:21.0296 1724 NETw4x32 (d57258165aba8162de8e29d71487fc4b) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
    19:33:21.0390 1724 NETw4x32 - ok
    19:33:21.0406 1724 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    19:33:21.0406 1724 NIC1394 - ok
    19:33:21.0421 1724 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    19:33:21.0421 1724 Npfs - ok
    19:33:21.0453 1724 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    19:33:21.0484 1724 Ntfs - ok
    19:33:21.0531 1724 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    19:33:21.0546 1724 Null - ok
    19:33:21.0609 1724 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    19:33:21.0625 1724 NwlnkFlt - ok
    19:33:21.0625 1724 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    19:33:21.0656 1724 NwlnkFwd - ok
    19:33:21.0656 1724 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    19:33:21.0671 1724 ohci1394 - ok
    19:33:21.0703 1724 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    19:33:21.0734 1724 Parport - ok
    19:33:21.0750 1724 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    19:33:21.0765 1724 PartMgr - ok
    19:33:21.0796 1724 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    19:33:21.0812 1724 ParVdm - ok
    19:33:21.0812 1724 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    19:33:21.0828 1724 PCI - ok
    19:33:21.0828 1724 PCIDump - ok
    19:33:21.0875 1724 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    19:33:21.0875 1724 PCIIde - ok
    19:33:21.0890 1724 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
    19:33:21.0906 1724 Pcmcia - ok
    19:33:21.0906 1724 PDCOMP - ok
    19:33:21.0921 1724 PDFRAME - ok
    19:33:21.0937 1724 PDRELI - ok
    19:33:21.0953 1724 PDRFRAME - ok
    19:33:21.0968 1724 perc2 - ok
    19:33:21.0968 1724 perc2hib - ok
    19:33:22.0031 1724 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    19:33:22.0046 1724 PptpMiniport - ok
    19:33:22.0062 1724 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    19:33:22.0078 1724 PSched - ok
    19:33:22.0109 1724 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    19:33:22.0125 1724 Ptilink - ok
    19:33:22.0140 1724 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    19:33:22.0140 1724 PxHelp20 - ok
    19:33:22.0156 1724 ql1080 - ok
    19:33:22.0156 1724 Ql10wnt - ok
    19:33:22.0171 1724 ql12160 - ok
    19:33:22.0187 1724 ql1240 - ok
    19:33:22.0203 1724 ql1280 - ok
    19:33:22.0218 1724 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    19:33:22.0234 1724 RasAcd - ok
    19:33:22.0265 1724 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    19:33:22.0281 1724 Rasl2tp - ok
    19:33:22.0296 1724 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    19:33:22.0328 1724 RasPppoe - ok
    19:33:22.0328 1724 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    19:33:22.0359 1724 Raspti - ok
    19:33:22.0390 1724 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    19:33:22.0390 1724 Rdbss - ok
    19:33:22.0406 1724 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    19:33:22.0421 1724 RDPCDD - ok
    19:33:22.0437 1724 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    19:33:22.0484 1724 rdpdr - ok
    19:33:22.0531 1724 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    19:33:22.0609 1724 RDPWD - ok
    19:33:22.0640 1724 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    19:33:22.0656 1724 redbook - ok
    19:33:22.0718 1724 RsFx0103 (fd692c6ffade58f7c4c3c3c9a0ec35bd) C:\WINDOWS\system32\DRIVERS\RsFx0103.sys
    19:33:22.0765 1724 RsFx0103 - ok
    19:33:22.0984 1724 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    19:33:23.0000 1724 SASDIFSV - ok
    19:33:23.0078 1724 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    19:33:23.0078 1724 SASKUTIL - ok
    19:33:23.0218 1724 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
    19:33:23.0250 1724 sdbus - ok
    19:33:23.0343 1724 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    19:33:23.0375 1724 Secdrv - ok
    19:33:23.0453 1724 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    19:33:23.0484 1724 Serial - ok
    19:33:23.0562 1724 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
    19:33:23.0578 1724 sffdisk - ok
    19:33:23.0609 1724 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
    19:33:23.0625 1724 sffp_sd - ok
    19:33:23.0640 1724 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    19:33:23.0671 1724 Sfloppy - ok
    19:33:23.0703 1724 Simbad - ok
    19:33:23.0718 1724 Sparrow - ok
    19:33:23.0781 1724 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    19:33:23.0781 1724 splitter - ok
    19:33:23.0859 1724 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    19:33:23.0875 1724 sr - ok
    19:33:23.0906 1724 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    19:33:23.0937 1724 Srv - ok
    19:33:23.0968 1724 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    19:33:23.0984 1724 swenum - ok
    19:33:24.0015 1724 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    19:33:24.0031 1724 swmidi - ok
    19:33:24.0062 1724 symc810 - ok
    19:33:24.0078 1724 symc8xx - ok
    19:33:24.0093 1724 sym_hi - ok
    19:33:24.0109 1724 sym_u3 - ok
    19:33:24.0140 1724 SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    19:33:24.0156 1724 SynTP - ok
    19:33:24.0203 1724 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    19:33:24.0218 1724 sysaudio - ok
    19:33:24.0296 1724 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    19:33:24.0343 1724 Tcpip - ok
    19:33:24.0390 1724 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    19:33:24.0406 1724 TDPIPE - ok
    19:33:24.0421 1724 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    19:33:24.0437 1724 TDTCP - ok
    19:33:24.0531 1724 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    19:33:24.0531 1724 TermDD - ok
    19:33:24.0625 1724 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
    19:33:24.0687 1724 tifm21 - ok
    19:33:24.0703 1724 TosIde - ok
    19:33:24.0781 1724 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    19:33:24.0796 1724 Udfs - ok
    19:33:24.0812 1724 ultra - ok
    19:33:24.0859 1724 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    19:33:24.0890 1724 Update - ok
    19:33:24.0937 1724 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
    19:33:24.0984 1724 USBAAPL - ok
    19:33:25.0031 1724 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    19:33:25.0046 1724 usbccgp - ok
    19:33:25.0109 1724 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    19:33:25.0125 1724 usbehci - ok
    19:33:25.0218 1724 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    19:33:25.0234 1724 usbhub - ok
    19:33:25.0250 1724 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    19:33:25.0265 1724 usbprint - ok
    19:33:25.0312 1724 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    19:33:25.0328 1724 usbscan - ok
    19:33:25.0359 1724 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    19:33:25.0359 1724 USBSTOR - ok
    19:33:25.0406 1724 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    19:33:25.0421 1724 usbuhci - ok
    19:33:25.0453 1724 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    19:33:25.0453 1724 VgaSave - ok
    19:33:25.0468 1724 ViaIde - ok
    19:33:25.0515 1724 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    19:33:25.0515 1724 VolSnap - ok
    19:33:25.0578 1724 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    19:33:25.0593 1724 Wanarp - ok
    19:33:25.0609 1724 WDICA - ok
    19:33:25.0656 1724 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    19:33:25.0671 1724 wdmaud - ok
    19:33:25.0734 1724 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    19:33:25.0750 1724 WS2IFSL - ok
    19:33:25.0765 1724 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
    19:33:25.0796 1724 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    19:33:25.0796 1724 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    19:33:25.0828 1724 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
    19:33:25.0828 1724 \Device\Harddisk1\DR2 - ok
    19:33:25.0843 1724 Boot (0x1200) (e96d4da541c3b2cc71bf3da1b8381af3) \Device\Harddisk0\DR0\Partition0
    19:33:25.0843 1724 \Device\Harddisk0\DR0\Partition0 - ok
    19:33:25.0843 1724 Boot (0x1200) (e161f840a89f08a1972849f3a593cdbb) \Device\Harddisk1\DR2\Partition0
    19:33:25.0843 1724 \Device\Harddisk1\DR2\Partition0 - ok
    19:33:25.0843 1724 ============================================================
    19:33:25.0843 1724 Scan finished
    19:33:25.0843 1724 ============================================================
    19:33:25.0859 0708 Detected object count: 1
    19:33:25.0859 0708 Actual detected object count: 1
    19:33:52.0812 0708 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    19:33:52.0812 0708 \Device\Harddisk0\DR0 - ok
    19:33:52.0812 0708 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    19:34:02.0406 0884 Deinitialize success
     
  8. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Good :)

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ============================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.

    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode (How to...)

    2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  9. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    aswmbr

    I tried to run ComboFix but was not successful. I do not have the Recovery Console installed and when I tried to connect to the internet to install, I received an error message and the computer automatically rebooted. Network Connections does show that I am connected via wireless connection and a Windows Update icon just popped up to tell me I have updates to install, so I guess I do have a connection. Opening IE says I'm not connected.

    Let me know what to do

    Here is the aswmbr log file.



    aswMBR version 0.9.9.1156 Copyright(c) 2011 AVAST Software
    Run date: 2012-01-05 19:47:48
    -----------------------------
    19:47:48.171 OS Version: Windows 5.1.2600 Service Pack 3
    19:47:48.171 Number of processors: 2 586 0xE08
    19:47:48.171 ComputerName: OWNER-830FA6330 UserName: Owner
    19:47:49.296 Initialize success
    19:48:01.515 AVAST engine download error: 0
    19:48:21.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    19:48:21.296 Disk 0 Vendor: WDC_WD3200BEVT-11ZCT0 11.01A11 Size: 305245MB BusType: 3
    19:48:21.312 Disk 0 MBR read successfully
    19:48:21.312 Disk 0 MBR scan
    19:48:21.312 Disk 0 Windows XP default MBR code
    19:48:21.312 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
    19:48:21.328 Disk 0 scanning sectors +625121280
    19:48:21.390 Disk 0 scanning C:\WINDOWS\system32\drivers
    19:48:35.000 Service scanning
    19:48:35.578 Service EverestDriver D:\PROGRAMS\Lavalys\EVEREST Corporate Edition\kerneld.wnt **LOCKED** 21
    19:48:36.750 Modules scanning
    19:48:42.875 Disk 0 trace - called modules:
    19:48:42.890 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
    19:48:42.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fa2290]
    19:48:42.890 3 CLASSPNP.SYS[f765efd7] -> nt!IofCallDriver -> \Device\00000085[0x86ecf9e8]
    19:48:42.890 5 ACPI.sys[f75b5620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86f7a940]
    19:48:42.906 Scan finished successfully
    19:54:36.250 Disk 0 MBR has been saved successfully to "E:\MBR.dat"
    19:54:36.281 The log file has been saved successfully to "E:\aswMBR.txt"
     
  10. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Did you?
     
  11. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    Kill log and Combofix log

    McAfee did popup and say it blocked an unwanted program, tool-nircmd. Ran both programs in Safe Mode.


    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 01/05/2012 at 20:34:34.
    Operating System: Microsoft Windows XP

    Processes terminated by Rkill or while it was running:

    Rkill completed on 01/05/2012 at 20:34:39.


    ComboFix 12-01-05.04 - Owner 01/05/2012 20:44:44.1.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.781 [GMT -6:00]
    Running from: c:\documents and settings\Owner\Desktop\Ownerfix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    C:\data
    c:\data\default\us_sres.data
    c:\documents and settings\All Users\Application Data\aapzaaa.tmp
    c:\documents and settings\All Users\Application Data\alhzaaa.tmp
    c:\documents and settings\All Users\Application Data\blhzaaa.tmp
    c:\documents and settings\All Users\Application Data\clhzaaa.tmp
    c:\documents and settings\All Users\Application Data\nutyaaa.tmp
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\w03v5ho382r0eu83588ggfx84pax154ve3u7
    c:\documents and settings\All Users\Application Data\wzozaaa.tmp
    c:\documents and settings\All Users\Application Data\xzozaaa.tmp
    c:\documents and settings\All Users\Application Data\ykhzaaa.tmp
    c:\documents and settings\All Users\Application Data\yzozaaa.tmp
    c:\documents and settings\All Users\Application Data\zkhzaaa.tmp
    c:\documents and settings\All Users\Application Data\zzozaaa.tmp
    c:\windows\$NtUninstallKB55942$
    c:\windows\$NtUninstallKB55942$\2663269432\@
    c:\windows\$NtUninstallKB55942$\2663269432\bckfg.tmp
    c:\windows\$NtUninstallKB55942$\2663269432\cfg.ini
    c:\windows\$NtUninstallKB55942$\2663269432\Desktop.ini
    c:\windows\$NtUninstallKB55942$\2663269432\keywords
    c:\windows\$NtUninstallKB55942$\2663269432\kwrd.dll
    c:\windows\$NtUninstallKB55942$\2663269432\L\jstbznpr
    c:\windows\$NtUninstallKB55942$\2663269432\lsflt7.ver
    c:\windows\$NtUninstallKB55942$\2663269432\U\00000001.$
    c:\windows\$NtUninstallKB55942$\2663269432\U\00000001.@
    c:\windows\$NtUninstallKB55942$\2663269432\U\00000002.@
    c:\windows\$NtUninstallKB55942$\2663269432\U\00000004.@
    c:\windows\$NtUninstallKB55942$\2663269432\U\80000000.@
    c:\windows\$NtUninstallKB55942$\2663269432\U\80000004.@
    c:\windows\$NtUninstallKB55942$\2663269432\U\80000032.$
    c:\windows\$NtUninstallKB55942$\2663269432\U\80000032.@
    c:\windows\$NtUninstallKB55942$\2824895661
    .
    c:\windows\system32\drivers\mqac.sys . . . is infected!! . . . Failed to find a valid replacement.
    c:\windows\explorer.exe . . . is infected!!
    .
    Infected copy of c:\windows\system32\svchost.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
    .
    c:\windows\system32\winlogon.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-02 21:49 . 2012-01-02 21:49 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2012-01-02 21:44 . 2012-01-02 21:44 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2012-01-02 21:42 . 2012-01-02 21:43 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-02 21:42 . 2012-01-02 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-01-02 15:46 . 2008-04-14 06:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
    2012-01-02 15:46 . 2008-04-14 06:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2012-01-02 15:45 . 2005-12-16 22:36 81920 ----a-w- c:\windows\system32\SynTPCo2.dll
    2012-01-02 15:45 . 2005-12-16 22:34 69721 ----a-w- c:\windows\system32\SynTPFcs.dll
    2012-01-02 15:45 . 2005-12-16 22:19 94297 ----a-w- c:\windows\system32\SynTPAPI.dll
    2012-01-02 15:45 . 2005-12-16 22:15 191936 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2012-01-02 15:45 . 2005-12-16 22:19 114688 ----a-w- c:\windows\system32\SynCtrl.dll
    2012-01-02 15:45 . 2005-12-16 22:18 82012 ----a-w- c:\windows\system32\SynCOM.dll
    2012-01-02 15:45 . 2012-01-02 15:45 -------- d-----w- c:\program files\Synaptics
    2012-01-02 15:45 . 2012-01-02 15:45 -------- d-----w- C:\Touchpad.temp
    2012-01-02 06:57 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-12-31 20:42 . 2011-12-31 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-31 20:42 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-31 19:32 . 2011-12-31 19:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2011-12-31 19:27 . 2011-12-31 19:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2011-12-31 19:27 . 2011-12-31 19:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
    2011-12-31 05:09 . 2012-01-04 19:51 -------- d-----w- C:\found.000
    2011-12-31 01:16 . 2011-12-31 01:16 -------- d-----w- C:\$AVG
    2011-12-26 22:36 . 2011-12-26 22:36 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2011-12-26 22:23 . 2011-12-26 22:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
    2011-12-25 21:51 . 2012-01-05 16:31 -------- d-----w- C:\e
    2011-12-25 21:17 . 2011-12-25 21:17 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2011-12-25 21:16 . 2011-12-25 21:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2011-12-25 05:34 . 2011-10-15 18:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-12-25 05:34 . 2011-10-15 18:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-12-25 05:34 . 2011-10-15 18:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-12-25 05:34 . 2011-10-15 18:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-12-25 05:33 . 2011-12-25 05:35 -------- d-----w- c:\program files\Common Files\Mcafee
    2011-12-25 05:32 . 2011-12-25 05:36 -------- d-----w- c:\program files\McAfee
    2011-12-25 05:24 . 2011-10-15 18:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-12-25 05:24 . 2011-10-15 18:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-12-25 05:24 . 2011-12-06 23:25 150856 ----a-w- c:\windows\system32\mfevtps.exe
    2011-12-24 16:18 . 2011-12-24 16:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-12-20 19:43 . 2011-12-20 19:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-12-20 19:32 . 2011-12-20 19:42 -------- d-----w- c:\documents and settings\Administrator
    2011-12-19 18:18 . 2011-12-19 18:18 -------- d-----w- c:\windows\system32\LogFiles
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-23 13:25 . 2006-03-15 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-04 19:20 . 2006-03-15 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2006-03-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2006-03-15 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2006-03-15 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2006-03-15 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2006-03-15 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2006-03-15 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-10 14:22 . 2010-02-19 15:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-28 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
    "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
    "HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-01-07 659456]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
    "FamilyCyberAlert"="c:\windows\system32\FCyberAlert\Syslogin.exe" [2009-08-28 1683456]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    2005-10-15 12:29 88203 ----a-w- c:\windows\agrsmmsg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-04 00:43 69632 ----a-w- c:\windows\ALCMTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-12-14 23:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-09-27 13:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2004-08-10 10:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Garmin Lifetime Updater]
    2011-10-03 14:14 1409384 ----a-w- c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2004-02-12 18:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-11-13 06:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
    2004-08-18 09:37 184320 ------w- c:\program files\ltmoh\ltmoh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 11:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 23:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2005-09-22 19:36 14854144 ----a-w- c:\windows\RTHDCPL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2011-12-09 00:44 4616064 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "JavaQuickStarterService"=2 (0x2)
    "tvnserver"=2 (0x2)
    "iPod Service"=3 (0x3)
    "GoToMyPC"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "BcmSqlStartupSvc"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "ehSched"=2 (0x2)
    "ehRecvr"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/24/2011 11:34 PM 89792]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/24/2011 11:35 PM 160608]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/24/2011 11:24 PM 150856]
    R2 MSSQL$SOSHOME309;SQL Server (SOSHOME309);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29 PM 29293408]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/24/2011 11:34 PM 57600]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/24/2011 11:34 PM 338176]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/24/2011 11:34 PM 83856]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2010 11:31 AM 135664]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\d:\programs\Lavalys\EVEREST Corporate Edition\kerneld.wnt --> d:\programs\Lavalys\EVEREST Corporate Edition\kerneld.wnt [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2010 11:31 AM 135664]
    S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [12/26/2011 4:08 PM 203080]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/24/2011 11:34 PM 83856]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/24/2011 11:34 PM 87656]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 9:08 PM 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 2:09 AM 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 2:23 AM 366936]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 17:31]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 17:31]
    .
    2012-01-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1417001333-682003330-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 11:56]
    .
    2012-01-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1417001333-682003330-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 11:56]
    .
    2012-01-06 c:\windows\Tasks\HP Usg Daily FY04.job
    - c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2011-09-10 04:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-gfhYdHclcK - c:\documents and settings\All Users\Application Data\gfhYdHclcK.exe
    MSConfigStartUp-rcIkTucXrvMQpF - c:\documents and settings\All Users\Application Data\rcIkTucXrvMQpF.exe
    MSConfigStartUp-tvncontrol - c:\program files\TightVNC\tvnserver.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-05 21:04
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
    "ImagePath"="\??\d:\programs\Lavalys\EVEREST Corporate Edition\kerneld.wnt"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,ff,3d,f8,ab,a9,87,4e,a4,a8,c1,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,ff,3d,f8,ab,a9,87,4e,a4,a8,c1,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1432)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(2744)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Synaptics\SynTP\Toshiba.exe
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\HPZipm12.exe
    c:\progra~1\mcafee\VIRUSS~1\mcvsshld.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-05 21:18:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-06 03:17
    .
    Pre-Run: 246,190,776,320 bytes free
    Post-Run: 246,734,536,704 bytes free
    .
    - - End Of File - - 13CF3CD47E0786E77D5101F7CF589E2B
     
  12. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    My instructions say to disable an AV program when running Combofix.

    See if you can re-run Combofix in normal mode now.
     
  13. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    new log

    Tried to run Combofix in normal mode, but when it tried to connect to the internet, I got DCOM Server Process Launcher Error message stating it had to reboot.

    I then started in Safe Mode and ran Combofix. Here's the new log.

    ComboFix 12-01-05.04 - Owner 01/05/2012 23:06:38.2.2 - x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.620 [GMT -6:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\explorer.exe . . . is infected!!
    .
    Infected copy of c:\windows\system32\svchost.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
    .
    c:\windows\system32\winlogon.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-02 21:49 . 2012-01-02 21:49 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2012-01-02 21:44 . 2012-01-02 21:44 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2012-01-02 21:42 . 2012-01-02 21:43 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-02 21:42 . 2012-01-02 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-01-02 15:46 . 2008-04-14 06:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
    2012-01-02 15:46 . 2008-04-14 06:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2012-01-02 15:45 . 2005-12-16 22:36 81920 ----a-w- c:\windows\system32\SynTPCo2.dll
    2012-01-02 15:45 . 2005-12-16 22:34 69721 ----a-w- c:\windows\system32\SynTPFcs.dll
    2012-01-02 15:45 . 2005-12-16 22:19 94297 ----a-w- c:\windows\system32\SynTPAPI.dll
    2012-01-02 15:45 . 2005-12-16 22:15 191936 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2012-01-02 15:45 . 2005-12-16 22:19 114688 ----a-w- c:\windows\system32\SynCtrl.dll
    2012-01-02 15:45 . 2005-12-16 22:18 82012 ----a-w- c:\windows\system32\SynCOM.dll
    2012-01-02 15:45 . 2012-01-02 15:45 -------- d-----w- c:\program files\Synaptics
    2012-01-02 15:45 . 2012-01-02 15:45 -------- d-----w- C:\Touchpad.temp
    2012-01-02 06:57 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-12-31 20:42 . 2011-12-31 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-31 20:42 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-31 19:32 . 2011-12-31 19:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2011-12-31 19:27 . 2011-12-31 19:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2011-12-31 19:27 . 2011-12-31 19:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
    2011-12-31 05:09 . 2012-01-04 19:51 -------- d-----w- C:\found.000
    2011-12-31 01:16 . 2011-12-31 01:16 -------- d-----w- C:\$AVG
    2011-12-26 22:36 . 2011-12-26 22:36 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2011-12-26 22:23 . 2011-12-26 22:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
    2011-12-25 21:51 . 2012-01-05 16:31 -------- d-----w- C:\e
    2011-12-25 21:17 . 2011-12-25 21:17 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2011-12-25 21:16 . 2011-12-25 21:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2011-12-25 05:34 . 2011-10-15 18:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-12-25 05:34 . 2011-10-15 18:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-12-25 05:34 . 2011-10-15 18:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-12-25 05:34 . 2011-10-15 18:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-12-25 05:33 . 2011-12-25 05:35 -------- d-----w- c:\program files\Common Files\Mcafee
    2011-12-25 05:32 . 2011-12-25 05:36 -------- d-----w- c:\program files\McAfee
    2011-12-25 05:24 . 2011-10-15 18:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-12-25 05:24 . 2011-10-15 18:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-12-25 05:24 . 2011-12-06 23:25 150856 ----a-w- c:\windows\system32\mfevtps.exe
    2011-12-24 16:18 . 2011-12-24 16:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-12-20 19:43 . 2011-12-20 19:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-12-20 19:32 . 2011-12-20 19:42 -------- d-----w- c:\documents and settings\Administrator
    2011-12-19 18:18 . 2011-12-19 18:18 -------- d-----w- c:\windows\system32\LogFiles
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-11-23 13:25 . 2006-03-15 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-04 19:20 . 2006-03-15 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2006-03-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2006-03-15 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2006-03-15 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2006-03-15 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2006-03-15 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2006-03-15 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-10 14:22 . 2010-02-19 15:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    .
    .
    [7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
    [-] 2008-04-14 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
    [7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
    [-] 2006-03-15 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
    .
    ((((((((((((((((((((((((((((( SnapShot@2012-01-06_03.03.19 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2012-01-06 05:20 . 2012-01-06 05:20 16384 c:\windows\temp\Perflib_Perfdata_420.dat
    + 2012-01-06 04:16 . 2012-01-06 04:16 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2010-02-19 18:43 . 2012-01-06 04:16 524288 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2010-02-19 18:43 . 2012-01-06 02:04 524288 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2010-02-19 18:43 . 2012-01-06 04:16 4259840 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2010-02-19 18:43 . 2012-01-06 02:04 4259840 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-28 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
    "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
    "HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-01-07 659456]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
    "FamilyCyberAlert"="c:\windows\system32\FCyberAlert\Syslogin.exe" [2009-08-28 1683456]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    2005-10-15 12:29 88203 ----a-w- c:\windows\agrsmmsg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-04 00:43 69632 ----a-w- c:\windows\ALCMTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-12-14 23:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-09-27 13:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2004-08-10 10:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Garmin Lifetime Updater]
    2011-10-03 14:14 1409384 ----a-w- c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2004-02-12 18:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-11-13 06:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
    2004-08-18 09:37 184320 ------w- c:\program files\ltmoh\ltmoh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 11:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 23:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2005-09-22 19:36 14854144 ----a-w- c:\windows\RTHDCPL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2011-12-09 00:44 4616064 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "JavaQuickStarterService"=2 (0x2)
    "tvnserver"=2 (0x2)
    "iPod Service"=3 (0x3)
    "GoToMyPC"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "BcmSqlStartupSvc"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "ehSched"=2 (0x2)
    "ehRecvr"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/24/2011 11:34 PM 89792]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/24/2011 11:35 PM 160608]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/24/2011 11:24 PM 150856]
    R2 MSSQL$SOSHOME309;SQL Server (SOSHOME309);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29 PM 29293408]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/24/2011 11:34 PM 57600]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/24/2011 11:34 PM 338176]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/24/2011 11:34 PM 83856]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2010 11:31 AM 135664]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\d:\programs\Lavalys\EVEREST Corporate Edition\kerneld.wnt --> d:\programs\Lavalys\EVEREST Corporate Edition\kerneld.wnt [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2010 11:31 AM 135664]
    S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [12/26/2011 4:08 PM 203080]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/24/2011 11:34 PM 83856]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/24/2011 11:34 PM 87656]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 9:08 PM 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 2:09 AM 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 2:23 AM 366936]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 17:31]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 17:31]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1417001333-682003330-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 11:56]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1417001333-682003330-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 11:56]
    .
    2012-01-06 c:\windows\Tasks\HP Usg Daily FY04.job
    - c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2011-09-10 04:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.2.1
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-05 23:22
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
    "ImagePath"="\??\d:\programs\Lavalys\EVEREST Corporate Edition\kerneld.wnt"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,ff,3d,f8,ab,a9,87,4e,a4,a8,c1,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,ff,3d,f8,ab,a9,87,4e,a4,a8,c1,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1432)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(2588)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    c:\program files\Common Files\McAfee\SystemCore\ScriptSn.20111226160148.dll
    c:\windows\system32\JScript.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Synaptics\SynTP\Toshiba.exe
    c:\windows\system32\rundll32.exe
    c:\windows\system32\HPZipm12.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-05 23:33:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-06 05:33
    ComboFix2.txt 2012-01-06 03:18
    .
    Pre-Run: 246,692,716,544 bytes free
    Post-Run: 246,666,907,648 bytes free
    .
    - - End Of File - - 9518CC0394FF3161F96EBF16E4E3C8D0
     
  14. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    OK, we have couple of important system files infected.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    64-bit users go HERE
    • Double-click SystemLook.exe to run it.
    • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box and paste it into the main textfield:
      Code:
      :filefind
      winlogon.exe
      explorer.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  15. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    systemlook file

    SystemLook 30.07.11 by jpshortstuff
    Log created at 00:17 on 06/01/2012 by Owner
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "winlogon.exe"
    C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 182856 bytes [20:42 31/12/2011] [23:50 24/12/2011] B382935AB01B27D0E14F267DBF288896
    C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c- 502272 bytes [20:21 20/02/2010] [12:00 15/03/2006] 01C3346C241652F43AED8E2149881BFE
    C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------- 507904 bytes [20:27 20/02/2010] [11:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
    C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe --a---- 507904 bytes [00:12 14/04/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
    C:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [12:00 15/03/2006] [11:42 14/04/2008] 1300F6682BEA386767AE2A7C6C2DDCA7

    Searching for "explorer.exe"
    C:\WINDOWS\explorer.exe --a---- 1058816 bytes [12:00 15/03/2006] [11:42 14/04/2008] F92D05B1C0DE946CF66B11479247FBDE
    C:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1032192 bytes [20:21 20/02/2010] [12:00 15/03/2006] A0732187050030AE399B241436565E64
    C:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [20:27 20/02/2010] [11:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
    C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe --a---- 1033728 bytes [00:12 14/04/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

    -= EOF =-
     
  16. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Download BlitzBlank and save it to your desktop.
    Double click on Blitzblank.exe

    • Click OK at the warning.
    • Click the Script tab and copy/paste the following text there:
    Code:
    CopyFile:
    C:\WINDOWS\ServicePackFiles\i386\explorer.exe C:\WINDOWS\explorer.exe
    C:\WINDOWS\ServicePackFiles\i386\winlogon.exe C:\WINDOWS\system32\winlogon.exe
    
    • Click Execute Now. Your computer will need to reboot in order to replace the files.
    • When done, post the report created by Blitzblank.
      You can find it in the root of the drive, normally C:\
     
  17. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    BlitzBlank 1.0.0.32

    File/Registry Modification Engine native application
    CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\windows\servicepackfiles\i386\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"
     
  18. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Re-run Combofix.
     
  19. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    ComboFix 12-01-05.04 - Owner 01/06/2012 10:50:45.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.636 [GMT -6:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
    FW: McAfee Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\windows\TEMP\win9.tmp
    .
    c:\windows\explorer.exe . . . is infected!!
    .
    Infected copy of c:\windows\system32\svchost.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\svchost.exe
    .
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-12-06 to 2012-01-06 )))))))))))))))))))))))))))))))
    .
    .
    2012-01-02 21:49 . 2012-01-02 21:49 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
    2012-01-02 21:44 . 2012-01-02 21:44 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
    2012-01-02 21:42 . 2012-01-02 21:43 -------- d-----w- c:\program files\SUPERAntiSpyware
    2012-01-02 21:42 . 2012-01-02 21:42 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2012-01-02 15:46 . 2008-04-14 06:48 52480 -c--a-w- c:\windows\system32\dllcache\i8042prt.sys
    2012-01-02 15:46 . 2008-04-14 06:48 52480 ----a-w- c:\windows\system32\drivers\i8042prt.sys
    2012-01-02 15:45 . 2005-12-16 22:36 81920 ----a-w- c:\windows\system32\SynTPCo2.dll
    2012-01-02 15:45 . 2005-12-16 22:34 69721 ----a-w- c:\windows\system32\SynTPFcs.dll
    2012-01-02 15:45 . 2005-12-16 22:19 94297 ----a-w- c:\windows\system32\SynTPAPI.dll
    2012-01-02 15:45 . 2005-12-16 22:15 191936 ----a-w- c:\windows\system32\drivers\SynTP.sys
    2012-01-02 15:45 . 2005-12-16 22:19 114688 ----a-w- c:\windows\system32\SynCtrl.dll
    2012-01-02 15:45 . 2005-12-16 22:18 82012 ----a-w- c:\windows\system32\SynCOM.dll
    2012-01-02 15:45 . 2012-01-02 15:45 -------- d-----w- c:\program files\Synaptics
    2012-01-02 15:45 . 2012-01-02 15:45 -------- d-----w- C:\Touchpad.temp
    2012-01-02 06:57 . 2011-06-21 04:09 200976 ----a-w- c:\windows\system32\drivers\tmcomm.sys
    2011-12-31 20:42 . 2011-12-31 20:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-12-31 20:42 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-12-31 19:32 . 2011-12-31 19:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2011-12-31 19:27 . 2011-12-31 19:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2011-12-31 19:27 . 2011-12-31 19:27 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
    2011-12-31 05:09 . 2012-01-04 19:51 -------- d-----w- C:\found.000
    2011-12-31 01:16 . 2011-12-31 01:16 -------- d-----w- C:\$AVG
    2011-12-26 22:36 . 2011-12-26 22:36 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
    2011-12-26 22:23 . 2011-12-26 22:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
    2011-12-25 21:51 . 2012-01-05 16:31 -------- d-----w- C:\e
    2011-12-25 21:17 . 2011-12-25 21:17 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2011-12-25 21:16 . 2011-12-25 21:16 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Yahoo!
    2011-12-25 05:34 . 2011-10-15 18:16 9608 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 89792 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
    2011-12-25 05:34 . 2011-10-15 18:16 83856 ----a-w- c:\windows\system32\drivers\mfendisk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 87656 ----a-w- c:\windows\system32\drivers\mferkdet.sys
    2011-12-25 05:34 . 2011-10-15 18:16 338176 ----a-w- c:\windows\system32\drivers\mfefirek.sys
    2011-12-25 05:34 . 2011-10-15 18:16 59456 ----a-w- c:\windows\system32\drivers\mfebopk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 180816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
    2011-12-25 05:34 . 2011-10-15 18:16 57600 ----a-w- c:\windows\system32\drivers\cfwids.sys
    2011-12-25 05:33 . 2011-12-25 05:35 -------- d-----w- c:\program files\Common Files\Mcafee
    2011-12-25 05:32 . 2011-12-25 05:36 -------- d-----w- c:\program files\McAfee
    2011-12-25 05:24 . 2011-10-15 18:16 121256 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
    2011-12-25 05:24 . 2011-10-15 18:16 464176 ----a-w- c:\windows\system32\drivers\mfehidk.sys
    2011-12-25 05:24 . 2011-12-06 23:25 150856 ----a-w- c:\windows\system32\mfevtps.exe
    2011-12-24 16:18 . 2011-12-24 16:18 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-12-20 19:43 . 2011-12-20 19:43 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-12-20 19:32 . 2011-12-20 19:42 -------- d-----w- c:\documents and settings\Administrator
    2011-12-19 18:18 . 2011-12-19 18:18 -------- d-----w- c:\windows\system32\LogFiles
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-01-06 16:29 . 2006-03-15 12:00 1058816 ----a-w- c:\windows\explorer.exe
    2011-11-23 13:25 . 2006-03-15 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
    2011-11-04 19:20 . 2006-03-15 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
    2011-11-04 19:20 . 2006-03-15 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-11-04 19:20 . 2006-03-15 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-11-04 11:23 . 2006-03-15 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-11-01 16:07 . 2006-03-15 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
    2011-10-28 05:31 . 2006-03-15 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2011-10-25 13:37 . 2006-03-15 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2011-10-25 12:52 . 2004-08-03 22:59 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2011-10-10 14:22 . 2010-02-19 15:19 692736 ----a-w- c:\windows\system32\inetcomm.dll
    .
    .
    ------- Sigcheck -------
    Note: Unsigned files aren't necessarily malware.
    .
    .
    [7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\svchost.exe
    [-] 2008-04-14 . ECD453C1AD7D2FF9448C24A65642FE17 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
    [7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
    [-] 2006-03-15 . 8F078AE4ED187AAABC0A305146DE6716 . 14336 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\svchost.exe
    .
    [-] 2012-01-06 . F92D05B1C0DE946CF66B11479247FBDE . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
    [7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
    [7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
    [-] 2006-03-15 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-02-28 39408]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
    "SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
    "ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 864256]
    "HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2006-01-07 172032]
    "HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2006-01-07 49152]
    "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "HPHmon06"="c:\windows\system32\hphmon06.exe" [2006-01-07 659456]
    "mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-11-22 1318816]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
    "FamilyCyberAlert"="c:\windows\system32\FCyberAlert\Syslogin.exe" [2009-08-28 1683456]
    .
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
    @=""
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
    @=""
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
    backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-09-21 05:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    2005-10-15 12:29 88203 ----a-w- c:\windows\agrsmmsg.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-04 00:43 69632 ----a-w- c:\windows\ALCMTR.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
    2010-12-14 23:17 47904 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
    2011-09-27 13:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    2004-08-10 10:04 59392 ----a-w- c:\windows\ehome\ehtray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Garmin Lifetime Updater]
    2011-10-03 14:14 1409384 ----a-w- c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2004-02-12 18:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2011-11-13 06:24 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
    2004-08-18 09:37 184320 ------w- c:\program files\ltmoh\ltmoh.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 11:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2011-07-05 23:36 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2005-09-22 19:36 14854144 ----a-w- c:\windows\RTHDCPL.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    2011-12-09 00:44 4616064 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "JavaQuickStarterService"=2 (0x2)
    "tvnserver"=2 (0x2)
    "iPod Service"=3 (0x3)
    "GoToMyPC"=2 (0x2)
    "Bonjour Service"=2 (0x2)
    "BcmSqlStartupSvc"=2 (0x2)
    "Apple Mobile Device"=2 (0x2)
    "ehSched"=2 (0x2)
    "ehRecvr"=2 (0x2)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    "FirewallOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    "DisableNotifications"= 1 (0x1)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    .
    R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [12/24/2011 11:34 PM 89792]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 10:27 AM 12880]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 3:55 PM 67664]
    R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 5:38 PM 116608]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [12/24/2011 11:35 PM 160608]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [12/24/2011 11:24 PM 150856]
    R2 MSSQL$SOSHOME309;SQL Server (SOSHOME309);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [12/10/2010 5:29 PM 29293408]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [12/24/2011 11:34 PM 57600]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [12/24/2011 11:34 PM 338176]
    R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [12/24/2011 11:34 PM 83856]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2010 11:31 AM 135664]
    S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\d:\programs\Lavalys\EVEREST Corporate Edition\kerneld.wnt --> d:\programs\Lavalys\EVEREST Corporate Edition\kerneld.wnt [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/28/2010 11:31 AM 135664]
    S3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [12/26/2011 4:08 PM 203080]
    S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
    S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [12/24/2011 11:34 PM 83856]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [12/24/2011 11:34 PM 87656]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
    S4 McOobeSv;McAfee OOBE Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [12/24/2011 11:33 PM 214904]
    S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/22/2009 9:08 PM 47128]
    S4 RsFx0103;RsFx0103 Driver;c:\windows\system32\drivers\RsFx0103.sys [3/30/2009 2:09 AM 239336]
    S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [3/30/2009 2:23 AM 366936]
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - mfeavfk01
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-01-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 22:57]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 17:31]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-28 17:31]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1417001333-682003330-1003Core.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 11:56]
    .
    2012-01-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1417001333-682003330-1003UA.job
    - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-03 11:56]
    .
    2012-01-06 c:\windows\Tasks\HP Usg Daily FY04.job
    - c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped06.exe [2011-09-10 04:54]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.yahoo.com/
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-01-06 11:07
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
    "ImagePath"="\??\d:\programs\Lavalys\EVEREST Corporate Edition\kerneld.wnt"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,ff,3d,f8,ab,a9,87,4e,a4,a8,c1,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,61,ff,3d,f8,ab,a9,87,4e,a4,a8,c1,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(1424)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'explorer.exe'(2044)
    c:\windows\system32\WININET.dll
    c:\progra~1\mcafee\SITEAD~1\saHook.dll
    c:\windows\system32\msi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\igfxsrvc.exe
    c:\program files\Synaptics\SynTP\Toshiba.exe
    c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
    c:\windows\system32\HPZipm12.exe
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2012-01-06 11:15:21 - machine was rebooted
    ComboFix-quarantined-files.txt 2012-01-06 17:15
    ComboFix2.txt 2012-01-06 03:18
    .
    Pre-Run: 246,679,986,176 bytes free
    Post-Run: 246,664,441,856 bytes free
    .
    - - End Of File - - AD690300FB80FA943861365133A5F439
     
  20. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Under the Custom Scan box paste this in:

      /md5start
      explorer.exe
      winlogon.exe
      userinit.exe
      svchost.exe
      /md5stop
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  21. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    Downloaded program and made the CD. Restarted computer, pressed F12 for Boot Menu and choose CD/DVD to boot. Computer comes up, but no REATOGO-X-PE file on the desktop, just the .exe file I downloaded. Tried to connect to the internet and got an error "Generic Host Process Win32 Service encountered a problem and needs to close. Then another popup that reads Windows shutdown was initiated by NT Authority/System. DCOM Server Process Launcher service terminated unexpectedly. Got this error message last time with the virus.

    Let me know if I did something wrong and I'll try again. Thank you for the help!
     
  22. Broni

    Broni Malware Annihilator Posts: 52,905   +344

    I don't think you're booting to Reatogo.

    Try to boot another working computer from the CD you just created and see if it works.
     
  23. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    Made another boot cd and this one seemed to work.

    It did not ask me to load remote registry or remote user profile to scan. I could not connect to the internet via my wireless connection. Attempted to do a repair and got the following message: Windows could not finish repairing the problem because the following action cannot be completed: Disabling the wireless network adapter. Make sure your network adapter is properly installed.

    Here is Part 1 of the log.....

    OTL logfile created on: 1/6/2012 9:12:38 PM - Run
    OTLPE by OldTimer - Version 3.1.48.0 Folder = X:\Programs\OTLPE
    Microsoft Windows XP Service Pack 3 (Version = 5.1.2600) - Type = SYSTEM
    Internet Explorer (Version = 8.0.6001.18702)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1,014.00 Mb Total Physical Memory | 782.00 Mb Available Physical Memory | 77.00% Memory free
    902.00 Mb Paging File | 823.00 Mb Available in Paging File | 91.00% Paging File free
    Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
    Drive C: | 298.08 Gb Total Space | 228.77 Gb Free Space | 76.75% Space Free | Partition Type: NTFS
    Drive X: | 436.59 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS

    Computer Name: REATOGO | User Name: SYSTEM
    Boot Mode: Normal | Scan Mode: All users
    Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days
    Using ControlSet: ControlSet001

    ========== Win32 Services (SafeList) ==========

    SRV - [2011/12/06 18:25:42 | 000,150,856 | ---- | M] (McAfee, Inc.) [Auto] -- C:\WINDOWS\System32\mfevtps.exe -- (mfevtp)
    SRV - [2011/12/06 18:21:24 | 000,160,608 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
    SRV - [2011/12/06 18:21:08 | 000,166,288 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe -- (McShield)
    SRV - [2011/10/18 17:59:54 | 000,361,976 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
    SRV - [2011/08/11 18:38:07 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
    SRV - [2011/01/28 13:28:50 | 000,203,080 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee\MSC\McAWFwk.exe -- (McAWFwk)
    SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (MSK80Service)
    SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
    SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Disabled] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McOobeSv)
    SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
    SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
    SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
    SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
    SRV - [2011/01/27 19:28:14 | 000,214,904 | ---- | M] (McAfee, Inc.) [Auto] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
    SRV - [2010/01/15 07:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
    SRV - [2009/02/20 09:46:52 | 000,030,312 | ---- | M] (Microsoft Corporation) [Disabled] -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
    SRV - [2006/01/06 23:54:41 | 000,077,824 | ---- | M] (Hewlett-Packard Company) [On_Demand] -- C:\WINDOWS\system32\hpbpro.exe -- (HP Port Resolver)
    SRV - [2006/01/06 23:54:41 | 000,073,728 | ---- | M] (Hewlett-Packard Company) [On_Demand] -- C:\WINDOWS\system32\hpboid.exe -- (HP Status Server)
    SRV - [2004/03/18 16:55:48 | 000,065,536 | ---- | M] (HP) [On_Demand] -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | On_Demand] -- -- (WDICA)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDRELI)
    DRV - File not found [Kernel | On_Demand] -- -- (PDFRAME)
    DRV - File not found [Kernel | On_Demand] -- -- (PDCOMP)
    DRV - File not found [Kernel | System] -- -- (PCIDump)
    DRV - File not found [Kernel | On_Demand] -- -- (mfeavfk01)
    DRV - File not found [Kernel | System] -- -- (lbrtfdc)
    DRV - File not found [Kernel | System] -- -- (i2omgmt)
    DRV - File not found [Kernel | On_Demand] -- -- (EverestDriver)
    DRV - File not found [Kernel | System] -- -- (Changer)
    DRV - File not found [Kernel | On_Demand] -- -- (catchme)
    DRV - [2011/10/15 13:16:16 | 000,464,176 | ---- | M] (McAfee, Inc.) [Kernel | Boot] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
    DRV - [2011/10/15 13:16:16 | 000,338,176 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
    DRV - [2011/10/15 13:16:16 | 000,180,816 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
    DRV - [2011/10/15 13:16:16 | 000,121,256 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
    DRV - [2011/10/15 13:16:16 | 000,089,792 | ---- | M] (McAfee, Inc.) [Kernel | System] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
    DRV - [2011/10/15 13:16:16 | 000,087,656 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
    DRV - [2011/10/15 13:16:16 | 000,083,856 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
    DRV - [2011/10/15 13:16:16 | 000,083,856 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
    DRV - [2011/10/15 13:16:16 | 000,059,456 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
    DRV - [2011/10/15 13:16:16 | 000,057,600 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
    DRV - [2011/07/22 11:27:02 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
    DRV - [2011/07/12 16:55:22 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
    DRV - [2009/03/30 03:09:28 | 000,239,336 | ---- | M] (Microsoft Corporation) [File_System | Disabled] -- C:\WINDOWS\system32\drivers\RsFx0103.sys -- (RsFx0103)
    DRV - [2008/03/12 20:25:36 | 002,530,176 | R--- | M] (Intel Corporation) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\NETw4x32.sys -- (NETw4x32) Intel(R)
    DRV - [2005/11/30 11:12:00 | 000,162,560 | ---- | M] (Texas Instruments) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\tifm21.sys -- (tifm21)
    DRV - [2005/11/15 10:00:22 | 001,122,656 | ---- | M] (Agere Systems) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2005/09/23 19:56:28 | 003,966,976 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    IE - HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = about:blank
    IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKU\Administrator.OWNER-830FA6330.000_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
    IE - HKU\Administrator.OWNER-830FA6330.000_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 4E 9E 89 D2 1A C9 CC 01 [binary data]
    IE - HKU\Administrator.OWNER-830FA6330.000_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



    IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    IE - HKU\Owner_ON_C\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
    IE - HKU\Owner_ON_C\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    IE - HKU\Owner_ON_C\..\URLSearchHook: {472734EA-242A-422b-ADF8-83D1E48CC825} - Reg Error: Key error. File not found
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
    IE - HKU\Owner_ON_C\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:
    FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@mcafee.com/MSC,version=10: C:\Program Files\McAfee\MSC\npMcSnFFPl.dll ()
    FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\NPMcFFPlg32.dll (McAfee, Inc.)
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)
    FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\1.3.21.79\npGoogleUpdate3.dll (Google Inc.)

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{D19CA586-DD6C-4a0a-96F8-14644F340D60}: C:\Program Files\Common Files\McAfee\SystemCore [2012/01/06 20:17:18 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/01/04 22:12:33 | 000,000,000 | ---D | M]

    [2011/10/12 09:14:32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions
    [2011/10/12 09:14:32 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Owner\Application Data\Mozilla\Extensions\mozswing@mozswing.org

    O1 HOSTS File: ([2012/01/06 12:05:45 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
    O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20111226160148.dll (McAfee, Inc.)
    O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7018.1622\swg.dll (Google Inc.)
    O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O4 - HKLM..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe (Brother Industries, Ltd.)
    O4 - HKLM..\Run: [FamilyCyberAlert] C:\WINDOWS\system32\FCyberAlert\Syslogin.exe (InfoWorks Technology Company)
    O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe (HP)
    O4 - HKLM..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe (Hewlett-Packard)
    O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
    O4 - HKLM..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe (Brother Industories, Ltd.)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
    O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\Administrator.OWNER-830FA6330.000_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\Administrator.OWNER-830FA6330.000_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKU\LocalService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\NetworkService_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\Owner_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
    O7 - HKU\Owner_ON_C\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKU\systemprofile_ON_C\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/downl...-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O16 - DPF: Garmin Communicator Plug-In https://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
    O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
    O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - C:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
    O18 - Protocol\Filter\application/x-mfe-ipt {3EF5086B-5478-4598-A054-786C45D75692} - C:\Program Files\McAfee\MSC\McSnIePl.dll (McAfee, Inc.)
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
    O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
    O24 - Desktop WallPaper:
    O24 - Desktop BackupWallPaper:
    O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
    O32 - HKLM CDRom: AutoRun - 1
    O32 - AutoRun File - [2010/02/19 10:22:19 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
    O32 - AutoRun File - [2006/03/24 06:06:41 | 000,000,053 | R--- | M] () - X:\AUTORUN.INF -- [ CDFS ]
    O34 - HKLM BootExecute: (autocheck autochk *) - File not found
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O37 - HKU\.DEFAULT\...exe [@ = exefile] -- Reg Error: Key error. File not found

    ========== Files/Folders - Created Within 30 Days ==========

    [2012/01/06 21:02:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2012/01/06 19:59:53 | 000,000,000 | -HSD | C] -- C:\RECYCLER
    [2012/01/06 19:34:00 | 127,231,689 | ---- | C] (Igor Pavlov) -- C:\Documents and Settings\Owner\Desktop\OTLPENet.exe
    [2012/01/06 11:20:01 | 001,153,912 | ---- | C] (Emsi Software GmbH) -- C:\Documents and Settings\Owner\Desktop\BlitzBlank.exe
    [2012/01/06 00:19:04 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
    [2012/01/06 00:00:03 | 000,000,000 | RHSD | C] -- C:\cmdcons
    [2012/01/05 23:54:36 | 004,372,321 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    [2012/01/05 21:32:59 | 004,372,321 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\Ownerfix.exe
    [2012/01/05 21:01:03 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
    [2012/01/05 21:01:03 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
    [2012/01/05 21:01:03 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
    [2012/01/05 21:01:03 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
    [2012/01/05 21:00:57 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
    [2012/01/05 21:00:51 | 000,000,000 | ---D | C] -- C:\Qoobox
    [2012/01/04 17:47:03 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2012/01/04 02:17:16 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Recent
    [2012/01/04 01:10:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Application Data\SUPERAntiSpyware.com
    [2012/01/03 13:33:11 | 004,007,216 | ---- | C] (IObit ) -- C:\Documents and Settings\Owner\Desktop\defragsetup.exe
    [2012/01/03 12:37:54 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Owner\Recent
    [2012/01/02 16:49:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Apple Computer
    [2012/01/02 16:44:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
    [2012/01/02 16:43:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
    [2012/01/02 16:42:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    [2012/01/02 16:42:45 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
    [2012/01/02 10:46:05 | 000,052,480 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\i8042prt.sys
    [2012/01/02 10:45:50 | 000,081,920 | ---- | C] (Synaptics, Inc.) -- C:\WINDOWS\System32\SynTPCo2.dll
    [2012/01/02 10:45:50 | 000,069,721 | ---- | C] (Synaptics, Inc.) -- C:\WINDOWS\System32\SynTPFcs.dll
    [2012/01/02 10:45:48 | 000,000,000 | ---D | C] -- C:\Program Files\Synaptics
    [2012/01/02 10:45:06 | 000,000,000 | ---D | C] -- C:\Touchpad.temp
    [2012/01/02 10:44:03 | 013,792,472 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware.exe
    [2012/01/02 01:57:37 | 000,200,976 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
    [2012/01/02 01:53:14 | 002,002,320 | ---- | C] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Desktop\HousecallLauncher.exe
    [2012/01/02 01:48:44 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Desktop\mbam-setup-1.60.0.1800.exe
    [2012/01/02 01:46:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Application Data\Adobe
    [2012/01/02 01:46:07 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\PrivacIE
    [2012/01/02 01:44:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Application Data\Malwarebytes
    [2012/01/02 01:43:30 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\IETldCache
    [2012/01/02 01:42:57 | 000,000,000 | --SD | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Application Data\Microsoft
    [2012/01/02 01:42:57 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Application Data
    [2012/01/02 01:42:57 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Cookies
    [2012/01/02 01:42:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Application Data\Macromedia
    [2012/01/02 01:42:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Favorites
    [2012/01/02 01:42:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Desktop
    [2012/01/02 01:42:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings\Application Data\Adobe
    [2012/01/02 01:42:56 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Start Menu\Programs\Startup
    [2012/01/02 01:42:56 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Start Menu
    [2012/01/02 01:42:56 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\SendTo
    [2012/01/02 01:42:56 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Start Menu\Programs\Accessories
    [2012/01/02 01:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\My Documents\Visual Studio 2010
    [2012/01/02 01:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Templates
    [2012/01/02 01:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\PrintHood
    [2012/01/02 01:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\NetHood
    [2012/01/02 01:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\My Documents
    [2012/01/02 01:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings\Application Data\Microsoft Help
    [2012/01/02 01:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings\Application Data\Microsoft
    [2012/01/02 01:42:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings
    [2011/12/31 15:42:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/12/31 15:42:34 | 000,020,464 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/12/31 15:42:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2011/12/31 15:12:11 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
    [2011/12/31 14:18:22 | 007,956,512 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-rules.exe
    [2011/12/31 14:18:03 | 010,847,608 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup-1.60.0.1800.exe
    [2011/12/31 13:43:20 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\Administrative Tools
    [2011/12/31 00:09:19 | 000,000,000 | ---D | C] -- C:\found.000
    [2011/12/30 20:16:21 | 000,000,000 | ---D | C] -- C:\$AVG
    [2011/12/28 17:30:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Start Menu\Programs\System Check
    [2011/12/28 16:50:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\NetHood
    [2011/12/26 17:36:29 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\LocalService\PrivacIE
    [2011/12/26 17:23:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!
    [2011/12/25 16:51:05 | 000,000,000 | ---D | C] -- C:\e
    [2011/12/25 16:17:35 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\PrivacIE
    [2011/12/25 16:16:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
    [2011/12/25 00:34:49 | 000,009,608 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeclnk.sys
    [2011/12/25 00:34:19 | 000,089,792 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfetdi2k.sys
    [2011/12/25 00:34:18 | 000,083,856 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfendisk.sys
    [2011/12/25 00:34:17 | 000,087,656 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdet.sys
    [2011/12/25 00:34:15 | 000,338,176 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfefirek.sys
    [2011/12/25 00:34:12 | 000,059,456 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
    [2011/12/25 00:34:11 | 000,180,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
    [2011/12/25 00:34:08 | 000,057,600 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\cfwids.sys
    [2011/12/25 00:33:18 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Mcafee
    [2011/12/25 00:33:15 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee.com
    [2011/12/25 00:32:33 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
    [2011/12/25 00:24:26 | 000,121,256 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys
    [2011/12/25 00:24:11 | 000,464,176 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
    [2011/12/25 00:24:06 | 000,150,856 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe
    [2011/12/25 00:24:06 | 000,148,520 | R--- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe.8a8a.deleteme
    [2011/12/25 00:13:38 | 000,118,784 | R--- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeapfk.sys.d07b.deleteme
    [2011/12/25 00:13:33 | 000,459,728 | R--- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys.1538.deleteme
    [2011/12/25 00:13:26 | 000,148,520 | R--- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\mfevtps.exe.e1e3.deleteme
    [2011/12/24 13:36:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
    [2011/12/24 13:19:50 | 000,000,000 | R--D | C] -- C:\Documents and Settings\LocalService\Favorites
    [2011/12/24 11:53:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
    [2011/12/24 11:53:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
    [2011/12/24 11:18:17 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
    [2011/12/20 15:21:17 | 000,000,000 | R--D | C] -- C:\Documents and Settings\NetworkService\Favorites
    [2011/12/20 14:53:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
    [2011/12/20 14:48:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
    [2011/12/20 14:48:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
    [2011/12/20 14:43:22 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\NetworkService\IETldCache
    [2011/12/20 14:32:43 | 000,000,000 | -HSD | C] -- C:\WINDOWS\CSC
    [2011/12/19 13:18:25 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\LogFiles
    [2010/10/17 12:36:53 | 007,053,264 | ---- | C] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Documents and Settings\Owner\gosetup.exe
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
     
  24. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    Part 2 of the log.........

    ========== Files - Modified Within 30 Days ==========

    [2012/01/06 21:54:49 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
    [2012/01/06 21:26:19 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1417001333-682003330-1003UA.job
    [2012/01/06 21:16:19 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
    [2012/01/06 21:02:03 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Internet Security.lnk
    [2012/01/06 21:02:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
    [2012/01/06 20:48:00 | 000,000,316 | ---- | M] () -- C:\WINDOWS\tasks\HP Usg Daily FY04.job
    [2012/01/06 20:12:46 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
    [2012/01/06 14:26:58 | 127,231,689 | ---- | M] (Igor Pavlov) -- C:\Documents and Settings\Owner\Desktop\OTLPENet.exe
    [2012/01/06 12:05:45 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
    [2012/01/06 11:29:33 | 001,058,816 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
    [2012/01/06 11:17:52 | 001,153,912 | ---- | M] (Emsi Software GmbH) -- C:\Documents and Settings\Owner\Desktop\BlitzBlank.exe
    [2012/01/06 00:26:01 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1409082233-1417001333-682003330-1003Core.job
    [2012/01/06 00:20:34 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
    [2012/01/05 21:30:36 | 001,008,141 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe
    [2012/01/05 21:29:08 | 004,372,321 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\Ownerfix.exe
    [2012/01/05 21:29:08 | 004,372,321 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    [2012/01/05 20:54:49 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
    [2012/01/05 11:16:25 | 000,006,144 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2012/01/04 22:06:06 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2012/01/04 02:41:04 | 000,064,626 | ---- | M] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Desktop\cc_20120104_014057.reg
    [2012/01/04 01:15:39 | 000,000,209 | -HS- | M] () -- C:\boot.ini
    [2012/01/03 17:39:34 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    [2012/01/03 12:52:04 | 004,007,216 | ---- | M] (IObit ) -- C:\Documents and Settings\Owner\Desktop\defragsetup.exe
    [2012/01/02 19:48:46 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Games
    [2012/01/02 18:21:45 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
    [2012/01/02 16:54:49 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\iTunes.lnk
    [2012/01/02 16:43:03 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2012/01/02 16:43:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
    [2012/01/02 10:37:48 | 005,652,632 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\sa105tpdriverx.exe
    [2012/01/02 10:26:46 | 013,792,472 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Owner\Desktop\SUPERAntiSpyware.exe
    [2012/01/02 02:44:27 | 000,164,235 | ---- | M] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings\Application Data\census.cache
    [2012/01/02 02:43:27 | 000,164,204 | ---- | M] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings\Application Data\ars.cache
    [2012/01/02 01:53:45 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings\Application Data\housecall.guid.cache
    [2012/01/02 01:53:14 | 002,002,320 | ---- | M] (Trend Micro Inc.) -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Desktop\HousecallLauncher.exe
    [2012/01/02 01:48:55 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Desktop\mbam-setup-1.60.0.1800.exe
    [2012/01/02 01:10:15 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
    [2011/12/31 15:42:37 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2011/12/31 15:42:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2011/12/30 23:21:02 | 000,448,695 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\AVG virus popup while Malware was running.jpg
    [2011/12/30 20:37:34 | 000,289,007 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\virus vault caught 2.jpg
    [2011/12/30 20:33:12 | 000,258,686 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\virus vault caught.jpg
    [2011/12/30 13:46:18 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Owner\Desktop\dds.scr
    [2011/12/30 13:43:42 | 000,302,592 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\2f0ttoz1.exe
    [2011/12/30 13:31:52 | 007,956,512 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-rules.exe
    [2011/12/30 13:29:16 | 010,847,608 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Owner\Desktop\mbam-setup-1.60.0.1800.exe
    [2011/12/28 16:51:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Windows Digital Media Enhancements
    [2011/12/28 16:51:05 | 000,000,000 | --SD | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\OpenOffice.org 3.3
    [2011/12/28 16:51:05 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    [2011/12/28 16:51:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
    [2011/12/28 16:51:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Visual Studio 2010 Express
    [2011/12/28 16:51:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft SQL Server 2008
    [2011/12/28 16:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
    [2011/12/28 16:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee Security Scan Plus
    [2011/12/28 16:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
    [2011/12/28 16:51:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Garmin
    [2011/12/28 16:51:01 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\CCleaner
    [2011/12/28 16:51:00 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
    [2011/12/28 16:51:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Bilingual Books
    [2011/12/28 16:50:59 | 000,000,000 | R--D | M] -- C:\Documents and Settings\All Users\Start Menu\Programs\Accessories
    [2011/12/28 16:46:28 | 000,001,202 | -HS- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\w03v5ho382r0eu83588ggfx84pax154ve3u7
    [2011/12/28 12:08:30 | 000,321,542 | ---- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    [2011/12/28 06:59:51 | 000,020,660 | -HS- | M] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\au28rqra8fv2700kr8366nd3am6oq5t1
    [2011/12/28 06:59:51 | 000,020,660 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\au28rqra8fv2700kr8366nd3am6oq5t1
    [2011/12/26 11:26:46 | 000,020,770 | -HS- | M] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\au28rqra8fv2700kr8366nd3am6oq5t1
    [2011/12/26 00:00:10 | 000,633,170 | ---- | M] () -- C:\WINDOWS\System32\drivers\Cat.DB
    [2011/12/25 17:06:46 | 000,000,240 | ---- | M] () -- C:\srch_site_1.gif
    [2011/12/25 17:06:45 | 000,000,277 | ---- | M] () -- C:\mov_1.gif
    [2011/12/25 17:06:45 | 000,000,274 | ---- | M] () -- C:\trav_1.gif
    [2011/12/25 17:06:44 | 000,000,284 | ---- | M] () -- C:\srch_map_1.gif
    [2011/12/25 17:06:44 | 000,000,273 | ---- | M] () -- C:\srch_stk_1.gif
    [2011/12/25 17:06:44 | 000,000,138 | ---- | M] () -- C:\flk2.gif
    [2011/12/25 17:06:43 | 000,000,113 | ---- | M] () -- C:\del_1.gif
    [2011/12/25 16:58:22 | 000,000,380 | ---- | M] () -- C:\edu.bmp
    [2011/12/25 16:58:22 | 000,000,304 | ---- | M] () -- C:\dir.bmp
    [2011/12/25 16:58:22 | 000,000,279 | ---- | M] () -- C:\hj_1.gif
    [2011/12/25 16:58:22 | 000,000,268 | ---- | M] () -- C:\ab_1.gif
    [2011/12/25 16:58:22 | 000,000,121 | ---- | M] () -- C:\srch_nws_1.gif
    [2011/12/25 16:58:22 | 000,000,113 | ---- | M] () -- C:\srch_aud_1.gif
    [2011/12/25 16:58:19 | 000,000,265 | ---- | M] () -- C:\srch_ans_1.gif
    [2011/12/25 16:58:18 | 000,000,123 | ---- | M] () -- C:\srch_sh_1.gif
    [2011/12/25 16:58:17 | 000,000,131 | ---- | M] () -- C:\srch_loc_1.gif
    [2011/12/25 16:58:16 | 000,000,112 | ---- | M] () -- C:\srch_vid_1.gif
    [2011/12/25 16:58:14 | 000,000,112 | ---- | M] () -- C:\srch_img_1.gif
    [2011/12/25 16:58:11 | 000,000,235 | ---- | M] () -- C:\srch_1.gif
    [2011/12/25 14:58:14 | 000,016,832 | ---- | M] () -- C:\WINDOWS\System32\amcompat.tlb
    [2011/12/25 14:58:13 | 000,023,392 | ---- | M] () -- C:\WINDOWS\System32\nscompat.tlb
    [2011/12/24 22:27:32 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\kDJeBl3a0.com.b
    [2011/12/24 19:56:16 | 000,018,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Application Data\015467y6h152l128c172x1glr3b3
    [2011/12/24 19:56:15 | 000,018,272 | -HS- | M] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\015467y6h152l128c172x1glr3b3
    [2011/12/24 11:33:50 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\41Jq85.dat
    [2011/12/15 14:18:13 | 000,011,924 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\New OpenDocument Text (8).odt
    [2011/12/15 10:47:28 | 000,292,480 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2011/12/15 10:27:59 | 000,002,284 | ---- | M] () -- C:\Documents and Settings\Owner\Desktop\Google Chrome.lnk
    [2011/12/10 16:24:06 | 000,020,464 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
    [2011/12/08 10:42:06 | 000,012,040 | ---- | M] () -- C:\Documents and Settings\Owner\My Documents\thank you letter to memphis.odt
    [6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

    ========== Files Created - No Company Name ==========

    [2012/01/05 21:33:31 | 001,008,141 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\rkill.exe
    [2012/01/05 21:01:03 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
    [2012/01/05 21:01:03 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
    [2012/01/05 21:01:03 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
    [2012/01/05 21:01:03 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
    [2012/01/05 21:01:03 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
    [2012/01/05 20:54:49 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\MBR.dat
    [2012/01/04 17:46:57 | 000,302,592 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\2f0ttoz1.exe
    [2012/01/04 02:41:02 | 000,064,626 | ---- | C] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Desktop\cc_20120104_014057.reg
    [2012/01/03 13:35:24 | 000,448,695 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\AVG virus popup while Malware was running.jpg
    [2012/01/03 13:35:24 | 000,289,007 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\virus vault caught 2.jpg
    [2012/01/03 13:35:24 | 000,258,686 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\virus vault caught.jpg
    [2012/01/02 18:21:45 | 000,000,682 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\CCleaner.lnk
    [2012/01/02 16:54:49 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\iTunes.lnk
    [2012/01/02 16:43:03 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
    [2012/01/02 10:44:38 | 005,652,632 | ---- | C] () -- C:\Documents and Settings\Owner\Desktop\sa105tpdriverx.exe
    [2012/01/02 02:44:27 | 000,164,235 | ---- | C] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings\Application Data\census.cache
    [2012/01/02 02:43:27 | 000,164,204 | ---- | C] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings\Application Data\ars.cache
    [2012/01/02 01:53:45 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Local Settings\Application Data\housecall.guid.cache
    [2012/01/02 01:42:58 | 000,001,599 | ---- | C] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Start Menu\Programs\Remote Assistance.lnk
    [2012/01/02 01:42:58 | 000,000,792 | ---- | C] () -- C:\Documents and Settings\Administrator.OWNER-830FA6330.000\Start Menu\Programs\Windows Media Player.lnk
    [2012/01/02 01:10:15 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\housecall.guid.cache
    [2011/12/31 15:42:37 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
    [2011/12/29 15:03:14 | 000,001,595 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Internet Security.lnk
    [2011/12/28 16:46:28 | 000,001,202 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\w03v5ho382r0eu83588ggfx84pax154ve3u7
    [2011/12/26 16:10:27 | 000,020,660 | -HS- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\au28rqra8fv2700kr8366nd3am6oq5t1
    [2011/12/26 03:25:59 | 000,020,770 | -HS- | C] () -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\au28rqra8fv2700kr8366nd3am6oq5t1
    [2011/12/26 03:25:59 | 000,020,660 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\au28rqra8fv2700kr8366nd3am6oq5t1
    [2011/12/25 17:06:46 | 000,000,240 | ---- | C] () -- C:\srch_site_1.gif
    [2011/12/25 17:06:45 | 000,000,277 | ---- | C] () -- C:\mov_1.gif
    [2011/12/25 17:06:45 | 000,000,274 | ---- | C] () -- C:\trav_1.gif
    [2011/12/25 17:06:44 | 000,000,284 | ---- | C] () -- C:\srch_map_1.gif
    [2011/12/25 17:06:44 | 000,000,273 | ---- | C] () -- C:\srch_stk_1.gif
    [2011/12/25 17:06:44 | 000,000,138 | ---- | C] () -- C:\flk2.gif
    [2011/12/25 17:06:43 | 000,000,113 | ---- | C] () -- C:\del_1.gif
    [2011/12/25 16:58:22 | 000,000,380 | ---- | C] () -- C:\edu.bmp
    [2011/12/25 16:58:22 | 000,000,304 | ---- | C] () -- C:\dir.bmp
    [2011/12/25 16:58:22 | 000,000,279 | ---- | C] () -- C:\hj_1.gif
    [2011/12/25 16:58:22 | 000,000,268 | ---- | C] () -- C:\ab_1.gif
    [2011/12/25 16:58:22 | 000,000,121 | ---- | C] () -- C:\srch_nws_1.gif
    [2011/12/25 16:58:22 | 000,000,113 | ---- | C] () -- C:\srch_aud_1.gif
    [2011/12/25 16:58:19 | 000,000,265 | ---- | C] () -- C:\srch_ans_1.gif
    [2011/12/25 16:58:18 | 000,000,123 | ---- | C] () -- C:\srch_sh_1.gif
    [2011/12/25 16:58:17 | 000,000,131 | ---- | C] () -- C:\srch_loc_1.gif
    [2011/12/25 16:58:16 | 000,000,112 | ---- | C] () -- C:\srch_vid_1.gif
    [2011/12/25 16:58:14 | 000,000,112 | ---- | C] () -- C:\srch_img_1.gif
    [2011/12/25 16:58:10 | 000,000,235 | ---- | C] () -- C:\srch_1.gif
    [2011/12/24 22:27:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\kDJeBl3a0.com.b
    [2011/12/24 11:33:50 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\41Jq85.dat
    [2011/12/24 11:31:01 | 000,633,170 | ---- | C] () -- C:\WINDOWS\System32\drivers\Cat.DB
    [2011/12/19 13:18:20 | 000,018,272 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\015467y6h152l128c172x1glr3b3
    [2011/12/19 13:18:19 | 000,018,272 | -HS- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\015467y6h152l128c172x1glr3b3
    [2011/12/15 14:12:04 | 000,011,924 | ---- | C] () -- C:\Documents and Settings\Owner\My Documents\New OpenDocument Text (8).odt
    [2011/11/03 15:35:02 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\fusioncache.dat
    [2011/09/10 15:44:17 | 000,093,422 | ---- | C] () -- C:\WINDOWS\HPHins03.dat
    [2011/09/10 15:44:17 | 000,002,655 | ---- | C] () -- C:\WINDOWS\hphmdl03.dat
    [2011/09/10 15:43:44 | 000,009,505 | ---- | C] () -- C:\WINDOWS\System32\hphmon06.dat
    [2011/09/01 18:14:23 | 000,163,752 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    [2011/09/01 18:14:20 | 000,688,903 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1409082233-1417001333-682003330-1003-0.dat
    [2011/09/01 18:14:19 | 000,321,542 | ---- | C] () -- C:\Documents and Settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
    [2011/08/26 18:44:24 | 000,000,051 | ---- | C] () -- C:\WINDOWS\brmx2001.ini
    [2011/08/26 18:44:24 | 000,000,040 | ---- | C] () -- C:\WINDOWS\opt_2460.ini
    [2011/01/27 19:02:46 | 000,001,324 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
    [2010/12/26 13:14:35 | 000,006,144 | ---- | C] () -- C:\Documents and Settings\Owner\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
    [2010/10/16 10:39:37 | 000,000,099 | ---- | C] () -- C:\Documents and Settings\Owner\jagex_runescape_preferences2.dat
    [2010/10/16 10:38:09 | 000,000,046 | ---- | C] () -- C:\Documents and Settings\Owner\jagex_runescape_preferences.dat
    [2010/09/12 17:48:32 | 000,000,209 | ---- | C] () -- C:\WINDOWS\Brpfx04a.ini
    [2010/09/12 17:48:32 | 000,000,092 | ---- | C] () -- C:\WINDOWS\brpcfx.ini
    [2010/09/12 17:48:32 | 000,000,065 | ---- | C] () -- C:\WINDOWS\System32\BD7420.dat
    [2010/09/12 17:48:31 | 000,000,426 | ---- | C] () -- C:\WINDOWS\brwmark.ini
    [2010/09/12 17:48:31 | 000,000,052 | ---- | C] () -- C:\WINDOWS\BRPP2KA.INI
    [2010/09/12 17:47:59 | 000,077,824 | ---- | C] () -- C:\WINDOWS\System32\BROSNMP.DLL
    [2010/09/12 17:47:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\brdfxspd.dat
    [2010/09/09 15:53:35 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PowerReg.dat
    [2010/08/14 14:47:45 | 000,000,410 | ---- | C] () -- C:\Documents and Settings\Owner\Application Data\com.headroomlearning.success_state.xml
    [2010/06/04 12:57:22 | 000,000,121 | ---- | C] () -- C:\WINDOWS\Winchat.ini
    [2010/03/01 22:22:34 | 000,061,944 | ---- | C] () -- C:\WINDOWS\System32\mlfcache.dat
    [2010/02/20 17:01:01 | 000,128,113 | ---- | C] () -- C:\WINDOWS\System32\csellang.ini
    [2010/02/20 17:01:01 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\csellang.dll
    [2010/02/20 17:01:01 | 000,010,165 | ---- | C] () -- C:\WINDOWS\System32\tosmreg.ini
    [2010/02/20 17:01:01 | 000,007,671 | ---- | C] () -- C:\WINDOWS\System32\cseltbl.ini
    [2010/02/20 11:06:47 | 000,147,456 | R--- | C] () -- C:\WINDOWS\System32\igfxCoIn_v4906.dll
    [2010/02/19 10:26:15 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
    [2010/02/19 09:58:38 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
    [2010/02/18 12:51:46 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
    [2010/02/18 12:50:27 | 000,292,480 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
    [2006/03/15 07:00:00 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
    [2006/03/15 07:00:00 | 001,033,728 | ---- | C] () -- C:\WINDOWS\expl.dat
    [2006/03/15 07:00:00 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
    [2006/03/15 07:00:00 | 000,658,784 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
    [2006/03/15 07:00:00 | 000,507,904 | ---- | C] () -- C:\WINDOWS\System32\winl.dat
    [2006/03/15 07:00:00 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
    [2006/03/15 07:00:00 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
    [2006/03/15 07:00:00 | 000,147,558 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
    [2006/03/15 07:00:00 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
    [2006/03/15 07:00:00 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
    [2006/03/15 07:00:00 | 000,014,336 | ---- | C] () -- C:\WINDOWS\System32\svch.dat
    [2006/03/15 07:00:00 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
    [2006/03/15 07:00:00 | 000,004,461 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
    [2006/03/15 07:00:00 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
    [2006/03/15 07:00:00 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat

    ========== LOP Check ==========

    [2011/10/03 17:58:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\.minecraft
    [2010/02/28 12:19:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
    [2010/08/14 14:46:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\com.headroomlearning.success.E906FDB8037C0EF6FFEB8EA592E89D1E073818BC.1
    [2011/10/16 21:59:22 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\Garmin
    [2010/03/14 19:11:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\GetRightToGo
    [2011/10/12 09:28:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\LimeWire
    [2011/04/16 06:51:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\OpenOffice.org
    [2010/04/13 07:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\TightVNC
    [2011/10/27 13:58:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Owner\Application Data\uTorrent
    [2010/04/13 07:22:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\TightVNC
    [2010/04/13 07:39:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\TightVNC
    [2011/08/31 16:31:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AOP
    [2010/10/17 12:37:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\CitrixLogs
    [2011/09/13 08:50:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
    [2010/08/14 14:31:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Headroom_Learning
    [2010/05/09 12:24:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
    [2010/02/27 16:29:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}

    ========== Purity Check ==========



    ========== Custom Scans ==========



    < MD5 for: EXPLORER.EXE >
    [2008/04/14 06:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
    [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\explorer.exe
    [2006/03/15 07:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
    [2012/01/06 11:29:33 | 001,058,816 | ---- | M] (Microsoft Corporation) MD5=F92D05B1C0DE946CF66B11479247FBDE -- C:\WINDOWS\explorer.exe

    < MD5 for: SVCHOST.EXE >
    [2008/04/14 06:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\ServicePackFiles\i386\svchost.exe
    [2008/04/13 19:12:36 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=27C6D03BCDB8CFEB96B716F3D8BE3E18 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\svchost.exe
    [2006/03/15 07:00:00 | 000,014,336 | ---- | M] (Microsoft Corporation) MD5=8F078AE4ED187AAABC0A305146DE6716 -- C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
    [2011/12/24 18:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe
    [2008/04/14 06:42:10 | 000,039,936 | ---- | M] (Microsoft Corporation) MD5=ECD453C1AD7D2FF9448C24A65642FE17 -- C:\WINDOWS\system32\svchost.exe

    < MD5 for: USERINIT.EXE >
    [2006/03/15 07:00:00 | 000,024,576 | ---- | M] (Microsoft Corporation) MD5=39B1FFB03C2296323832ACBAE50D2AFF -- C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
    [2008/04/14 06:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ERDNT\cache\userinit.exe
    [2008/04/14 06:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\ServicePackFiles\i386\userinit.exe
    [2008/04/13 19:12:38 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\userinit.exe
    [2008/04/14 06:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=A93AEE1928A9D7CE3E16D24EC7380F89 -- C:\WINDOWS\system32\userinit.exe

    < MD5 for: WINLOGON.EXE >
    [2006/03/15 07:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
    [2008/04/14 06:42:10 | 000,545,280 | ---- | M] (Microsoft Corporation) MD5=1300F6682BEA386767AE2A7C6C2DDCA7 -- C:\WINDOWS\system32\winlogon.exe
    [2011/12/24 18:50:20 | 000,182,856 | ---- | M] () MD5=B382935AB01B27D0E14F267DBF288896 -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
    [2008/04/14 06:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
    [2008/04/13 19:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\winlogon.exe
    < End of report >
     
  25. goleftfast

    goleftfast TS Rookie Topic Starter Posts: 20

    I'm beginning to think about reinstalling windows. I have a "Recovery & Applications" DVD that came with the laptop. Will this reformat the drive an install new Windows software on my laptop? Not sure what a Recovery DVD might be.

    I've run so many fix it programs and it is still not working. Might be time to throw in the towel. LMK
     

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...