Solved Possibly infected... unwanted program file attachment... logs attached

mcIrishgurl · Nov 24, 2011

a program file called Cloud AV 2012 attached itself while husband online. it randomly launches and appears to be a suspicious security tool. i immediately end it through task manager and it does not allow for unistallment. pc is now running extremely slow.

thanks in advance for any help!

attached are required logs....

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8229

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/24/2011 12:48:11 AM
mbam-log-2011-11-24 (00-48-11).txt

Scan type: Quick scan
Objects scanned: 206944
Time elapsed: 28 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.EXE (Trojan.Email) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\O5sJdEL8gZhCkVl (Trojan.FakeAlert.Gen) -> Value: O5sJdEL8gZhCkVl -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\0.5575465834312043.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\windows\temp\mediwa\setup.exe (Trojan.Email) -> Quarantined and deleted successfully.
c:\documents and settings\Joe\application data\ldr.ini (Malware.Trace) -> Quarantined and deleted successfully.

mcIrishgurl · Nov 24, 2011

will try to post rest of logs...when attempting, i get notice that couldn't connect to server

mcIrishgurl · Nov 24, 2011

not letting my send/post anything

I'm not able to send/post....i get redirected to message that says: The connection was reset...The connection to the server was reset while page was loading...

Broni · Nov 24, 2011

Please, observe following rules:

Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
If you're stuck, or you're not sure about certain step, always ask before doing anything else.
Please refrain from running tools or applying updates other than those I suggest.
Never run more than one scan at a time.
Keep updating me regarding your computer behavior, good, or bad.
The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

==========================================================

Can you ATTACH other logs?

mcIrishgurl · Nov 24, 2011

everytime i try to post the other logs or even this small post, which took several tries, i am now getting this message:

Unable to connect

Firefox can't establish a connection to the server at www.techspot.com.

mcIrishgurl · Nov 24, 2011

now it's not letting me finish again....redirects to page with this message:

The connection was reset

The connection to the server was reset while the page was loading.

mcIrishgurl · Nov 24, 2011

i even tried to upload logs to my email to send to my son's laptop, then post from there, but when i tried uploading to my hotmail i get an error message while uploading that says:

We couldn't upload your files because you may have temporarily lost your Internet connection. Please try uploading them again.

Broni · Nov 24, 2011

Upload the file(s) here: http://www.filedropper.com/
Post download link (copy URL: link):

mcIrishgurl · Nov 24, 2011

http://www.filedropper.com/dds

mcIrishgurl · Nov 24, 2011

http://www.filedropper.com/attach_1

mcIrishgurl · Nov 24, 2011

ok...last link...quick question, will that info remain on that website or does it have to be removed or anything?
http://www.filedropper.com/gmer_3

Broni · Nov 24, 2011

Those files are deleted after 7 days I believe.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_26
Run by Joe at 7:23:16 on 2011-11-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.592 [GMT -6:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxebserv.exe
C:\WINDOWS\system32\lxebcoms.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mfevtps.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\LVComsX.exe
C:\WINDOWS\System32\ping.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.att.net/
uSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20110509214019.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1301098716453
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1301103901046
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{5552D5E7-8E2B-4EFD-8EB1-1188DC6F16FF} : DhcpNameServer = 192.168.2.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\joe\application data\mozilla\firefox\profiles\wc40fgpi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mcafee\siteadvisor\NPMcFFPlg32.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-10-13 387480]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2011-3-26 84200]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2011-3-26 54760]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [2011-5-17 193192]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-27 366152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-26 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-26 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-26 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2011-3-26 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2011-3-26 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2011-3-26 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2011-3-26 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2011-3-26 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-27 22216]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2011-3-26 153280]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2011-3-26 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2011-3-26 88736]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2011-3-26 52320]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2011-3-26 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2011-3-26 84488]
.
=============== Created Last 30 ================
.
2011-11-24 04:13:37 -------- d-----w- c:\documents and settings\joe\application data\K689wetyioasfgj
2011-11-24 04:13:36 -------- d-----w- c:\documents and settings\joe\application data\UKLXeryuopsdgh
2011-11-23 19:53:50 -------- d-----w- c:\documents and settings\joe\application data\iTjCkVzAuSoFpsJ
2011-11-23 19:53:50 -------- d-----w- c:\documents and settings\joe\application data\hYwVtPySiDn4Q6K
2011-11-23 19:52:50 -------- d-----w- c:\documents and settings\joe\application data\L9gTXqjUCkBzNx
2011-11-23 19:52:47 -------- d-----w- c:\documents and settings\joe\application data\SD2onF4pm5W7TYl
2011-11-23 00:22:00 -------- d-----w- c:\documents and settings\joe\application data\KCekIrzNx1v2b4m
2011-11-23 00:21:59 -------- d-----w- c:\documents and settings\joe\application data\abD3oG4Q6W7R9Tq
2011-11-22 22:22:48 -------- d-----w- c:\documents and settings\joe\application data\wL9hTwUeIt
2011-11-22 22:22:48 -------- d-----w- c:\documents and settings\joe\application data\QrONx0c2b3n5Q6K
2011-11-22 20:57:55 -------- d-----w- c:\documents and settings\joe\application data\gx0Sbp5Qd8h
2011-11-22 20:57:54 -------- d-----w- c:\documents and settings\joe\application data\ZmG5lyHLCNuopsR
2011-11-22 20:57:09 -------- d-----w- c:\program files\4B0D4
2011-11-22 20:56:20 -------- d-----w- c:\documents and settings\joe\application data\0834B
2011-11-22 20:56:17 -------- d-----w- c:\program files\LP
2011-11-22 20:56:09 -------- d-----w- c:\documents and settings\joe\application data\CEK8fZhXjVOtPyS
2011-11-22 20:56:06 -------- d-----w- c:\documents and settings\joe\application data\wVelOx0Sio
2011-10-27 21:00:10 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2011-10-27 21:00:10 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2011-10-27 21:00:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2011-10-27 21:00:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2011-10-27 21:00:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2011-10-27 21:00:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2011-10-27 21:00:09 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2011-10-27 20:16:43 -------- d-----w- c:\program files\iPod
2011-10-27 20:16:25 -------- d-----w- c:\program files\iTunes
2011-10-27 19:57:04 -------- d-----w- c:\program files\Bonjour
.
==================== Find3M ====================
.
2011-11-18 05:28:23 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29:02 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 23:00:50 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 04:05:04 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05:04 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05:04 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 04:05:04 178536 ----a-w- c:\windows\system32\dnssdX.dll
.
============= FINISH: 7:25:04.17 ===============

Broni · Nov 24, 2011

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/25/2011 6:25:39 PM
System Uptime: 11/24/2011 12:51:22 AM (7 hours ago)
.
Motherboard: Lite-On Tech. | | 0888h
Processor: Intel(R) Celeron(R) CPU 2.00GHz | mPGA-478 | 2000/100mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 18.457 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP241: 10/1/2011 8:15:34 PM - System Checkpoint
RP242: 10/2/2011 9:35:42 PM - System Checkpoint
RP243: 10/3/2011 9:57:17 PM - System Checkpoint
RP244: 10/4/2011 9:58:43 PM - System Checkpoint
RP245: 10/5/2011 11:29:00 PM - System Checkpoint
RP246: 10/6/2011 11:55:34 PM - System Checkpoint
RP247: 10/8/2011 12:39:30 AM - System Checkpoint
RP248: 10/9/2011 12:48:18 AM - System Checkpoint
RP249: 10/10/2011 1:31:02 AM - System Checkpoint
RP250: 10/11/2011 1:38:58 AM - System Checkpoint
RP251: 10/12/2011 2:27:15 AM - System Checkpoint
RP252: 10/13/2011 12:01:59 AM - Software Distribution Service 3.0
RP253: 10/14/2011 1:56:25 AM - System Checkpoint
RP254: 10/15/2011 2:39:00 AM - System Checkpoint
RP255: 10/16/2011 3:35:44 AM - System Checkpoint
RP256: 10/17/2011 4:24:33 AM - System Checkpoint
RP257: 10/18/2011 5:16:50 AM - System Checkpoint
RP258: 10/19/2011 6:12:23 AM - System Checkpoint
RP259: 10/20/2011 6:36:24 AM - System Checkpoint
RP260: 10/21/2011 7:05:32 AM - System Checkpoint
RP261: 10/22/2011 8:01:59 AM - System Checkpoint
RP262: 10/23/2011 8:56:01 AM - System Checkpoint
RP263: 10/24/2011 9:47:24 AM - System Checkpoint
RP264: 10/25/2011 10:41:42 AM - System Checkpoint
RP265: 10/26/2011 1:05:14 PM - System Checkpoint
RP266: 10/27/2011 5:05:54 PM - System Checkpoint
RP267: 10/28/2011 7:20:31 PM - System Checkpoint
RP268: 10/29/2011 7:48:17 PM - System Checkpoint
RP269: 10/30/2011 8:19:53 PM - System Checkpoint
RP270: 11/30/2011 4:00:43 PM - System Checkpoint
RP271: 12/1/2011 4:24:31 PM - System Checkpoint
RP272: 11/2/2011 5:15:08 PM - System Checkpoint
RP273: 11/3/2011 10:06:12 PM - System Checkpoint
RP274: 11/5/2011 1:42:01 AM - System Checkpoint
RP275: 11/6/2011 12:43:35 AM - System Checkpoint
RP276: 11/7/2011 12:47:36 AM - System Checkpoint
RP277: 11/8/2011 3:12:51 AM - System Checkpoint
RP278: 11/9/2011 3:31:39 AM - System Checkpoint
RP279: 11/10/2011 4:29:21 AM - System Checkpoint
RP280: 11/11/2011 5:24:47 AM - System Checkpoint
RP281: 11/12/2011 6:17:05 AM - System Checkpoint
RP282: 11/13/2011 7:11:29 AM - System Checkpoint
RP283: 11/14/2011 8:06:08 AM - System Checkpoint
RP284: 11/15/2011 9:37:18 PM - System Checkpoint
RP285: 11/16/2011 11:52:22 PM - System Checkpoint
RP286: 11/18/2011 2:00:18 AM - System Checkpoint
RP287: 11/18/2011 3:00:46 AM - Software Distribution Service 3.0
RP288: 12/18/2011 4:39:42 PM - System Checkpoint
RP289: 11/19/2011 1:45:33 AM - System Checkpoint
RP290: 11/20/2011 1:54:44 AM - System Checkpoint
RP291: 11/21/2011 2:45:47 AM - System Checkpoint
RP292: 11/22/2011 3:45:47 AM - System Checkpoint
RP293: 11/23/2011 5:50:17 AM - System Checkpoint
RP294: 11/24/2011 5:55:34 AM - System Checkpoint
.
==== Installed Programs ======================
.
ABBYY FineReader 6.0 Sprint
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader X (10.1.1)
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
CCleaner
Compatibility Pack for the 2007 Office system
FaxTools
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
Intel(R) Extreme Graphics Driver
iTunes
Java Auto Updater
Java(TM) 6 Update 26
Junk Mail filter update
Learning Essentials for Microsoft Office
Lexmark Pro200-S500 Series
Lexmark Toolbar
Lexmark Tools for Office
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam Software
Logitech SetPoint
Logitech® Camera Driver
Malwarebytes' Anti-Malware version 1.51.2.1300
McAfee Security Scan Plus
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Works 7.0
Mozilla Firefox 7.0.1 (x86 en-US)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
PCI SoftV92 Modem
Picture Package Music Transfer
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB923789)
Segoe UI
Sony Picture Utility
Sony USB Driver
SoundMAX
SpywareBlaster 4.4
SUPERAntiSpyware
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB2641690)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
.
==== Event Viewer Messages From Past Week ========
.
11/24/2011 7:16:00 AM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
11/24/2011 7:16:00 AM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
11/24/2011 6:16:00 AM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
11/24/2011 6:16:00 AM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
11/24/2011 5:16:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
11/24/2011 5:16:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402
11/24/2011 4:16:00 AM, error: Schedule [7901] - The At9.job command failed to start due to the following error: %%2147942402
11/24/2011 4:16:00 AM, error: Schedule [7901] - The At10.job command failed to start due to the following error: %%2147942402
11/24/2011 3:16:00 AM, error: Schedule [7901] - The At8.job command failed to start due to the following error: %%2147942402
11/24/2011 3:16:00 AM, error: Schedule [7901] - The At7.job command failed to start due to the following error: %%2147942402
11/24/2011 2:16:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
11/24/2011 2:16:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
11/24/2011 12:51:54 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/24/2011 12:16:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
11/24/2011 12:16:00 AM, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
11/24/2011 1:26:34 AM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
11/24/2011 1:16:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
11/24/2011 1:16:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
11/23/2011 9:16:00 PM, error: Schedule [7901] - The At44.job command failed to start due to the following error: %%2147942402
11/23/2011 9:16:00 PM, error: Schedule [7901] - The At43.job command failed to start due to the following error: %%2147942402
11/23/2011 8:16:00 PM, error: Schedule [7901] - The At42.job command failed to start due to the following error: %%2147942402
11/23/2011 8:16:00 PM, error: Schedule [7901] - The At41.job command failed to start due to the following error: %%2147942402
11/23/2011 7:16:05 PM, error: Schedule [7901] - The At40.job command failed to start due to the following error: %%2147942402
11/23/2011 7:16:05 PM, error: Schedule [7901] - The At39.job command failed to start due to the following error: %%2147942402
11/23/2011 6:16:00 PM, error: Schedule [7901] - The At38.job command failed to start due to the following error: %%2147942402
11/23/2011 6:16:00 PM, error: Schedule [7901] - The At37.job command failed to start due to the following error: %%2147942402
11/23/2011 5:16:00 PM, error: Schedule [7901] - The At36.job command failed to start due to the following error: %%2147942402
11/23/2011 5:16:00 PM, error: Schedule [7901] - The At35.job command failed to start due to the following error: %%2147942402
11/23/2011 4:16:13 PM, error: Schedule [7901] - The At34.job command failed to start due to the following error: %%2147942402
11/23/2011 4:16:07 PM, error: Schedule [7901] - The At33.job command failed to start due to the following error: %%2147942402
11/23/2011 3:16:01 PM, error: Schedule [7901] - The At32.job command failed to start due to the following error: %%2147942402
11/23/2011 3:16:00 PM, error: Schedule [7901] - The At31.job command failed to start due to the following error: %%2147942402
11/23/2011 2:16:00 PM, error: Schedule [7901] - The At30.job command failed to start due to the following error: %%2147942402
11/23/2011 2:16:00 PM, error: Schedule [7901] - The At29.job command failed to start due to the following error: %%2147942402
11/23/2011 11:16:01 PM, error: Schedule [7901] - The At48.job command failed to start due to the following error: %%2147942402
11/23/2011 11:16:00 PM, error: Schedule [7901] - The At47.job command failed to start due to the following error: %%2147942402
11/23/2011 10:16:07 PM, error: Schedule [7901] - The At46.job command failed to start due to the following error: %%2147942402
11/23/2011 10:16:04 PM, error: Schedule [7901] - The At45.job command failed to start due to the following error: %%2147942402
11/23/2011 1:53:03 AM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
11/23/2011 1:16:00 PM, error: Schedule [7901] - The At28.job command failed to start due to the following error: %%2147942402
11/23/2011 1:16:00 PM, error: Schedule [7901] - The At27.job command failed to start due to the following error: %%2147942402
.
==== End Of File ===========================

Broni · Nov 24, 2011

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-24 07:19:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400EB-11CPF0 rev.06.04G06
Running: dojw0u75.exe; Driver: C:\DOCUME~1\Joe\LOCALS~1\Temp\pxtdipow.sys

---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF7464210]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF7464224]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7464250]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF74642A6]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF74641FC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF74641D4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF74641E8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF746423A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF746427C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7464266]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF74642D0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF74642BC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7464290]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Kernel code sections - GMER 1.0.15 ----

? svshi.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01C20000
.text C:\WINDOWS\Explorer.EXE[296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01C20FDB
.text C:\WINDOWS\Explorer.EXE[296] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01C20011
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02C70000
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02C70F77
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02C7006C
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02C70F92
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02C70FAF
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02C70036
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02C700C9
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02C700AE
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02C700F5
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02C70F5C
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02C70F4B
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02C70051
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02C70FE5
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02C70087
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02C70FCA
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02C7001B
.text C:\WINDOWS\Explorer.EXE[296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02C700DA
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02C60FA8
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02C60014
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02C60FC3
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02C60FD4
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02C60F57
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02C60FEF
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02C60F72
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E6, 8A] {OUT 0x8a, AL}
.text C:\WINDOWS\Explorer.EXE[296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02C60F8D
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02C50F9C
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!system 77C293C7 5 Bytes JMP 02C50FB7
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02C5001D
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02C50000
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02C50FC8
.text C:\WINDOWS\Explorer.EXE[296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02C50FEF
.text C:\WINDOWS\Explorer.EXE[296] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 01C30000
.text C:\WINDOWS\Explorer.EXE[296] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 01C30FE5
.text C:\WINDOWS\Explorer.EXE[296] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 01C30FD4
.text C:\WINDOWS\Explorer.EXE[296] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 01C30FC3
.text C:\WINDOWS\Explorer.EXE[296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01D40FEF
.text C:\WINDOWS\System32\svchost.exe[480] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C30FEF
.text C:\WINDOWS\System32\svchost.exe[480] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C30FCD
.text C:\WINDOWS\System32\svchost.exe[480] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C30FDE
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C600A2
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C60FA3
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C60087
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C60FCA
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C60051
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C60F7E
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C600D0
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C60F63
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C60106
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C60117
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C60062
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C6000A
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C600B3
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C60036
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C6001B
.text C:\WINDOWS\System32\svchost.exe[480] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C600E1
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C50025
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C5006C
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C50FD4
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C5005B
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C50000
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C50040
.text C:\WINDOWS\System32\svchost.exe[480] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C50FB9
.text C:\WINDOWS\System32\svchost.exe[480] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40FB2
.text C:\WINDOWS\System32\svchost.exe[480] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C40047
.text C:\WINDOWS\System32\svchost.exe[480] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C4001B
.text C:\WINDOWS\System32\svchost.exe[480] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40FE3
.text C:\WINDOWS\System32\svchost.exe[480] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C4002C
.text C:\WINDOWS\System32\svchost.exe[480] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40000
.text C:\WINDOWS\System32\svchost.exe[544] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BA0000
.text C:\WINDOWS\System32\svchost.exe[544] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\System32\svchost.exe[544] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BF0000
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BF0F7E
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BF0F99
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BF0073
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BF0051
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BF0F59
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BF00AB
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BF0F2D
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BF00BC
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BF0F08
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BF0062
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BF0FE5
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BF008E
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BF0036
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BF0025
.text C:\WINDOWS\System32\svchost.exe[544] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BF0F48
.text C:\WINDOWS\System32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BE0040
.text C:\WINDOWS\System32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BE009B
.text C:\WINDOWS\System32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BE0025
.text C:\WINDOWS\System32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\System32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BE0080
.text C:\WINDOWS\System32\svchost.exe[544] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BE000A
.text C:\WINDOWS\System32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BE0FD4
.text C:\WINDOWS\System32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DE, 88]
.text C:\WINDOWS\System32\svchost.exe[544] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BE005B
.text C:\WINDOWS\System32\svchost.exe[544] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BD0047
.text C:\WINDOWS\System32\svchost.exe[544] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BD0036
.text C:\WINDOWS\System32\svchost.exe[544] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BD0FC6
.text C:\WINDOWS\System32\svchost.exe[544] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[544] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BD001B
.text C:\WINDOWS\System32\svchost.exe[544] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BD0000
.text C:\WINDOWS\System32\svchost.exe[544] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00BB0FE5
.text C:\WINDOWS\System32\svchost.exe[544] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00BB0FCA
.text C:\WINDOWS\System32\svchost.exe[544] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00BB0FB9
.text C:\WINDOWS\System32\svchost.exe[544] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00BB0014
.text C:\WINDOWS\System32\svchost.exe[544] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\system32\services.exe[1036] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006F0FE5
.text C:\WINDOWS\system32\services.exe[1036] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006F001B
.text C:\WINDOWS\system32\services.exe[1036] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006F0000
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00970000
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0097007F
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00970F8A
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00970058
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0097003D
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00970FB6
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00970F37
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00970F54
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009700BF
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00970F1C
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00970F0B
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00970FA5
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00970011
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00970F6F
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00970022
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00970FD1
.text C:\WINDOWS\system32\services.exe[1036] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 0097009A
.text C:\WINDOWS\system32\services.exe[1036] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00720FDB
.text C:\WINDOWS\system32\services.exe[1036] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00720073
.text C:\WINDOWS\system32\services.exe[1036] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0072002C
.text C:\WINDOWS\system32\services.exe[1036] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0072001B
.text C:\WINDOWS\system32\services.exe[1036] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00720062
.text C:\WINDOWS\system32\services.exe[1036] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0072000A
.text C:\WINDOWS\system32\services.exe[1036] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00720047
.text C:\WINDOWS\system32\services.exe[1036] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00720FC0
.text C:\WINDOWS\system32\services.exe[1036] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00710038
.text C:\WINDOWS\system32\services.exe[1036] msvcrt.dll!system 77C293C7 5 Bytes JMP 00710FB7
.text C:\WINDOWS\system32\services.exe[1036] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00710FD9
.text C:\WINDOWS\system32\services.exe[1036] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00710000
.text C:\WINDOWS\system32\services.exe[1036] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00710FC8
.text C:\WINDOWS\system32\services.exe[1036] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00710011
.text C:\WINDOWS\system32\services.exe[1036] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00700000
.text C:\WINDOWS\system32\lsass.exe[1048] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\lsass.exe[1048] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00CF0025
.text C:\WINDOWS\system32\lsass.exe[1048] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01010FEF
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0101007F
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01010F8A
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01010F9B
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01010058
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01010FCA
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010100AB
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01010090
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01010F37
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01010F48
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01010F1C
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01010047
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01010F6F
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01010036
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01010025
.text C:\WINDOWS\system32\lsass.exe[1048] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 010100BC
.text C:\WINDOWS\system32\lsass.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF002F
.text C:\WINDOWS\system32\lsass.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\lsass.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\lsass.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0014
.text C:\WINDOWS\system32\lsass.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0076
.text C:\WINDOWS\system32\lsass.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF0051
.text C:\WINDOWS\system32\lsass.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\lsass.exe[1048] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D20F95
.text C:\WINDOWS\system32\lsass.exe[1048] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D20FA6
.text C:\WINDOWS\system32\lsass.exe[1048] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D20FC1
.text C:\WINDOWS\system32\lsass.exe[1048] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D20FEF
.text C:\WINDOWS\system32\lsass.exe[1048] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D20016
.text C:\WINDOWS\system32\lsass.exe[1048] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D20FDE
.text C:\WINDOWS\system32\lsass.exe[1048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D1000A
.text C:\WINDOWS\system32\lsass.exe[1048] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\lsass.exe[1048] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00D00014
.text C:\WINDOWS\system32\lsass.exe[1048] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\lsass.exe[1048] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00D00FC3
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00EF0FCA
.text C:\WINDOWS\system32\svchost.exe[1204] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00EF0000
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30080
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F30065
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30F8B
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30054
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30039
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F300AE
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30091
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F26
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F30F41
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F30F15
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30FB2
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F30F70
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30FCD
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F30FDE
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F300BF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20025
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20F94
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F20FD4
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F2005B
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F20040
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20FB9
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10027
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10F9C
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FD2
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10FB7
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F00000
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00DB0011
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E80087
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E80062
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E80051
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E80F94
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E80FCA
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E800C4
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E800A9
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E80F35
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E80F46
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E80F10
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E80098
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E80036
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E80025
.text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E80F61
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E70FD1
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E70058
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E7002C
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E7001B
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E70047
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E70F9B
.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [07, 89]

Broni · Nov 24, 2011

.text C:\WINDOWS\system32\svchost.exe[1300] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E70FC0
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DE0020
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DE0F95
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DE0FC1
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DE0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DE0FA6
.text C:\WINDOWS\system32\svchost.exe[1300] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DE0FD2
.text C:\WINDOWS\system32\svchost.exe[1300] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0FEF
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00DC0FE5
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00DC0FCA
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00DC000A
.text C:\WINDOWS\system32\svchost.exe[1300] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00DC001B
.text C:\WINDOWS\System32\svchost.exe[1416] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01C50FEF
.text C:\WINDOWS\System32\svchost.exe[1416] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01C50014
.text C:\WINDOWS\System32\svchost.exe[1416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 01C50FDE
.text C:\WINDOWS\System32\svchost.exe[1416] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00F4000A
.text C:\WINDOWS\System32\svchost.exe[1416] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00F2000C
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 031E0FE5
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 031E0F74
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 031E0069
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 031E0F9B
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 031E0058
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 031E0036
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 031E0084
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 031E0F3C
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 031E00A9
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 031E0F10
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 031E00C4
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 031E0047
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 031E0000
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 031E0F59
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 031E0FD4
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 031E001B
.text C:\WINDOWS\System32\svchost.exe[1416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 031E0F21
.text C:\WINDOWS\System32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 031D0FC0
.text C:\WINDOWS\System32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 031D0044
.text C:\WINDOWS\System32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 031D0FD1
.text C:\WINDOWS\System32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 031D0011
.text C:\WINDOWS\System32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 031D0F91
.text C:\WINDOWS\System32\svchost.exe[1416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 031D0000
.text C:\WINDOWS\System32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 031D0033
.text C:\WINDOWS\System32\svchost.exe[1416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 031D0022
.text C:\WINDOWS\System32\svchost.exe[1416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 031C0044
.text C:\WINDOWS\System32\svchost.exe[1416] msvcrt.dll!system 77C293C7 5 Bytes JMP 031C0FC3
.text C:\WINDOWS\System32\svchost.exe[1416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 031C0FDE
.text C:\WINDOWS\System32\svchost.exe[1416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 031C0000
.text C:\WINDOWS\System32\svchost.exe[1416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 031C0033
.text C:\WINDOWS\System32\svchost.exe[1416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 031C0FEF
.text C:\WINDOWS\System32\svchost.exe[1416] WS2_32.dll!socket 71AB4211 5 Bytes JMP 031B000A
.text C:\WINDOWS\System32\svchost.exe[1416] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 031A0FEF
.text C:\WINDOWS\System32\svchost.exe[1416] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 031A0FDE
.text C:\WINDOWS\System32\svchost.exe[1416] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 031A0014
.text C:\WINDOWS\System32\svchost.exe[1416] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 031A0FC3
.text C:\WINDOWS\System32\svchost.exe[1524] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00740000
.text C:\WINDOWS\System32\svchost.exe[1524] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00740FCA
.text C:\WINDOWS\System32\svchost.exe[1524] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00740FE5
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00780FEF
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00780040
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0078002F
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0078001E
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00780F6B
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00780F97
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00780F18
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00780F29
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00780EDB
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00780EEC
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00780ECA
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00780F7C
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00780FD4
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00780F3A
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00780FA8
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00780FB9
.text C:\WINDOWS\System32\svchost.exe[1524] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00780F07
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0077002C
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00770F91
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00770FD1
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00770011
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00770058
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00770000
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0077003D
.text C:\WINDOWS\System32\svchost.exe[1524] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00770FB6
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0076002F
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 00760F9A
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00760000
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00760FE3
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00760FAB
.text C:\WINDOWS\System32\svchost.exe[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00760FD2
.text C:\WINDOWS\System32\svchost.exe[1524] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00750FEF
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 008E0FE5
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 008E0FD4
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 008E000A
.text C:\WINDOWS\System32\svchost.exe[1524] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 008E0FB9
.text C:\WINDOWS\system32\svchost.exe[1664] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[1664] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E40FDE
.text C:\WINDOWS\system32\svchost.exe[1664] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E40014
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E90087
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E90F92
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E9006C
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E9005B
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90040
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E90F50
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90F6D
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900D5
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E900C4
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E90F17
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90098
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90FD4
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90025
.text C:\WINDOWS\system32\svchost.exe[1664] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E900B3
.text C:\WINDOWS\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E80011
.text C:\WINDOWS\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E8004A
.text C:\WINDOWS\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E80FCA
.text C:\WINDOWS\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80F8D
.text C:\WINDOWS\system32\svchost.exe[1664] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E80F9E
.text C:\WINDOWS\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [08, 89]
.text C:\WINDOWS\system32\svchost.exe[1664] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E80FAF
.text C:\WINDOWS\system32\svchost.exe[1664] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70077
.text C:\WINDOWS\system32\svchost.exe[1664] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E7005C
.text C:\WINDOWS\system32\svchost.exe[1664] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E7003A
.text C:\WINDOWS\system32\svchost.exe[1664] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E7000C
.text C:\WINDOWS\system32\svchost.exe[1664] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E7004B
.text C:\WINDOWS\system32\svchost.exe[1664] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E7001D
.text C:\WINDOWS\system32\svchost.exe[1664] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E6000A
.text C:\WINDOWS\system32\svchost.exe[1664] WININET.dll!InternetOpenA 3D95D698 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\svchost.exe[1664] WININET.dll!InternetOpenW 3D95DB11 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[1664] WININET.dll!InternetOpenUrlA 3D95F3AC 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\svchost.exe[1664] WININET.dll!InternetOpenUrlW 3D9A6D6F 5 Bytes JMP 00E50036
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1992] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe[1992] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\mfevtps.exe[380] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\WINDOWS\system32\mfevtps.exe[380] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\WINDOWS\system32\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Modules - GMER 1.0.15 ----

Module (noname) (*** hidden *** ) B099A000-B09B3000 (102400 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5AJBX514\search[9].htm 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\5AJBX514\dnserrordiagoff_webOC[2] 0 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BW6LX5GA\dnserrordiagoff_webOC[1] 6766 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S93RU3PU\info_48[1] 6993 bytes
File C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\S93RU3PU\bullet[2] 0 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730 0 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\bckfg.tmp 952 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\cfg.ini 234 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\keywords 0 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\L 0 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\L\jnlnahny 162816 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\lsflt7.ver 5174 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\U 0 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\U\80000000.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB3945$\1589858730\U\80000032.@ 97792 bytes
File C:\WINDOWS\$NtUninstallKB3945$\2724383865 0 bytes

---- EOF - GMER 1.0.15 ----

Broni · Nov 24, 2011

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
NOTE1. If Combofix asks you to install Recovery Console, please allow it.
NOTE 2. If Combofix asks you to update the program, always do so.
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.

Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode (How to...)

2. Delete Combofix file, download fresh one, but rename combofix.exe to yourname.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

Double-click on the Rkill desktop icon to run the tool.
If using Vista or Windows 7 right-click on it and choose Run As Administrator.
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot until instructed.
If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

mcIrishgurl · Nov 25, 2011

ComboFix 11-11-25.01 - Dawn B 11/24/2011 23:28:54.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.744 [GMT -6:00]
Running from: c:\documents and settings\Dawn B\My Documents\Downloads\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Joe\Application Data\hYwVtPySiDn4Q6K
c:\documents and settings\Joe\Application Data\hYwVtPySiDn4Q6K\Cloud AV 2012.ico
c:\documents and settings\Joe\Application Data\K689wetyioasfgj
c:\documents and settings\Joe\Application Data\K689wetyioasfgj\Cloud AV 2012.ico
c:\program files\LP
c:\program files\LP\CF20\245.tmp
c:\program files\LP\CF20\246.tmp
c:\program files\LP\CF20\3ED.tmp
c:\program files\LP\CF20\3F6.exe
c:\program files\LP\CF20\3F6.tmp
c:\program files\LP\CF20\704.tmp
c:\program files\LP\CF20\705.tmp
c:\program files\LP\CF20\706.tmp
c:\program files\LP\CF20\709.tmp
c:\program files\LP\CF20\C9.exe
c:\program files\LP\CF20\C9.tmp
c:\program files\LP\CF20\CD.tmp
c:\program files\LP\CF20\CF.exe
c:\program files\LP\CF20\CF.tmp
c:\program files\LP\CF20\D1.tmp
c:\program files\LP\CF20\D8.tmp
c:\windows\$NtUninstallKB3945$\1589858730\@
c:\windows\$NtUninstallKB3945$\1589858730\bckfg.tmp
c:\windows\$NtUninstallKB3945$\1589858730\cfg.ini
c:\windows\$NtUninstallKB3945$\1589858730\Desktop.ini
c:\windows\$NtUninstallKB3945$\1589858730\keywords
c:\windows\$NtUninstallKB3945$\1589858730\kwrd.dll
c:\windows\$NtUninstallKB3945$\1589858730\L\jnlnahny
c:\windows\$NtUninstallKB3945$\1589858730\lsflt7.ver
c:\windows\$NtUninstallKB3945$\1589858730\U\00000001.@
c:\windows\$NtUninstallKB3945$\1589858730\U\00000002.@
c:\windows\$NtUninstallKB3945$\1589858730\U\00000004.@
c:\windows\$NtUninstallKB3945$\1589858730\U\80000000.@
c:\windows\$NtUninstallKB3945$\1589858730\U\80000004.@
c:\windows\$NtUninstallKB3945$\1589858730\U\80000032.@
c:\windows\$NtUninstallKB3945$\2724383865
c:\windows\bwUnin-6.1.4.68-8876480L.exe
c:\windows\bwUnin-7.2.0.137-8876480SL.exe
c:\windows\$NtUninstallKB3945$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-10-25 to 2011-11-25 )))))))))))))))))))))))))))))))
.
.
2011-11-24 04:13 . 2011-11-24 04:13 -------- d-----w- c:\documents and settings\Joe\Application Data\UKLXeryuopsdgh
2011-11-23 20:06 . 2011-11-23 20:06 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-11-23 19:53 . 2011-11-23 19:53 -------- d-----w- c:\documents and settings\Joe\Application Data\iTjCkVzAuSoFpsJ
2011-11-23 19:52 . 2011-11-23 19:52 -------- d-----w- c:\documents and settings\Joe\Application Data\L9gTXqjUCkBzNx
2011-11-23 19:52 . 2011-11-23 19:52 -------- d-----w- c:\documents and settings\Joe\Application Data\SD2onF4pm5W7TYl
2011-11-23 00:22 . 2011-11-23 00:22 -------- d-----w- c:\documents and settings\Joe\Application Data\KCekIrzNx1v2b4m
2011-11-23 00:21 . 2011-11-23 00:21 -------- d-----w- c:\documents and settings\Joe\Application Data\abD3oG4Q6W7R9Tq
2011-11-22 22:22 . 2011-11-22 22:22 -------- d-----w- c:\documents and settings\Joe\Application Data\wL9hTwUeIt
2011-11-22 22:22 . 2011-11-22 22:22 -------- d-----w- c:\documents and settings\Joe\Application Data\QrONx0c2b3n5Q6K
2011-11-22 20:57 . 2011-11-22 20:57 -------- d-----w- c:\documents and settings\Joe\Application Data\gx0Sbp5Qd8h
2011-11-22 20:57 . 2011-11-22 20:57 -------- d-----w- c:\documents and settings\Joe\Application Data\ZmG5lyHLCNuopsR
2011-11-22 20:57 . 2011-11-24 05:14 -------- d-----w- c:\program files\4B0D4
2011-11-22 20:56 . 2011-11-23 19:59 -------- d-----w- c:\documents and settings\Joe\Application Data\0834B
2011-11-22 20:56 . 2011-11-22 20:56 -------- d-----w- c:\documents and settings\Joe\Application Data\CEK8fZhXjVOtPyS
2011-11-22 20:56 . 2011-11-22 20:56 -------- d-----w- c:\documents and settings\Joe\Application Data\wVelOx0Sio
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-10-27 20:57 . 2011-10-27 21:00 -------- d-----w- c:\program files\QuickTime
2011-10-27 20:16 . 2011-10-27 20:16 -------- d-----w- c:\program files\iPod
2011-10-27 20:16 . 2011-10-27 20:21 -------- d-----w- c:\program files\iTunes
2011-10-27 20:00 . 2011-10-27 20:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-10-27 19:57 . 2011-10-27 19:57 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 05:28 . 2011-09-10 18:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22 . 2002-08-29 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-08-29 10:40 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2001-08-18 05:36 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2001-08-18 05:35 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2002-08-29 09:14 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 23:00 . 2011-06-28 04:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-09-30 22:52 . 2011-03-26 22:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2011-03-27 01:01 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.

mcIrishgurl · Nov 25, 2011

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-12-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dawn B^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Dawn B\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 12:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2011-01-24 01:00 148280 ----a-w- c:\program files\Lexmark Pro200-S500 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2011-09-10 18:22 247968 ----a-w- c:\windows\system32\Macromed\Flash\FlashUtil11b_Plugin.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 23:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2011-03-25 23:58 32768 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark Pro200-S500 Series Fax Server]
2011-01-24 01:00 316072 ----a-w- c:\program files\Lexmark Pro200-S500 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-01-18 23:07 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-01-18 23:47 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-01-18 23:37 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-10-08 17:52 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxebmon.exe]
2011-01-24 01:00 770728 ----a-w- c:\program files\Lexmark Pro200-S500 Series\lxebmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-08-31 23:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2011-06-28 12:01 1195408 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetFxUpdate_v1.1.4322]
2004-08-10 21:20 106496 ----a-w- c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-12-19 01:12 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\WINDOWS\\system32\\lxebcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/26/2011 2:35 PM 84200]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 12:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 11:48 AM 116608]
R2 lxeb_device;lxeb_device;c:\windows\system32\lxebcoms.exe -service --> c:\windows\system32\lxebcoms.exe -service [?]
R2 lxebCATSCustConnectService;lxebCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxebserv.exe [5/17/2011 5:58 PM 193192]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/27/2011 10:28 PM 366152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/26/2011 2:35 PM 271480]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/26/2011 2:35 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [3/26/2011 2:35 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [3/26/2011 2:36 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [3/26/2011 2:19 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/26/2011 2:35 PM 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/27/2011 10:28 PM 22216]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/26/2011 2:35 PM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 2:35 PM 88736]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 6:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 2:35 PM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/26/2011 2:35 PM 84488]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]

mcIrishgurl · Nov 25, 2011

.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Dawn B\Application Data\Mozilla\Firefox\Profiles\9jqu77q9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-24 23:52
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,be,2f,41,19,e6,8e,4e,b4,bd,b8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,be,2f,41,19,e6,8e,4e,b4,bd,b8,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(980)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(3152)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxebcoms.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-11-25 00:04:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-11-25 06:04
.
Pre-Run: 19,991,334,912 bytes free
Post-Run: 20,178,661,376 bytes free
.
- - End Of File - - 39BF777F2E9983A8716185B8A0557F1D

Broni · Nov 25, 2011

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

Folder::
c:\documents and settings\Joe\Application Data\wVelOx0Sio
c:\documents and settings\Joe\Application Data\CEK8fZhXjVOtPyS
c:\documents and settings\Joe\Application Data\0834B
c:\program files\4B0D4
c:\documents and settings\Joe\Application Data\ZmG5lyHLCNuopsR
c:\documents and settings\Joe\Application Data\gx0Sbp5Qd8h
c:\documents and settings\Joe\Application Data\QrONx0c2b3n5Q6K
c:\documents and settings\Joe\Application Data\wL9hTwUeIt
c:\documents and settings\Joe\Application Data\abD3oG4Q6W7R9Tq
c:\documents and settings\Joe\Application Data\KCekIrzNx1v2b4m
c:\documents and settings\Joe\Application Data\SD2onF4pm5W7TYl
c:\documents and settings\Joe\Application Data\L9gTXqjUCkBzNx
c:\documents and settings\Joe\Application Data\iTjCkVzAuSoFpsJ
c:\documents and settings\Joe\Application Data\UKLXeryuopsdgh

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt

mcIrishgurl · Nov 26, 2011

ComboFix 11-11-25.02 - Dawn B 11/26/2011 0:46.9.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.864 [GMT -6:00]
Running from: c:\documents and settings\Joe\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\My Documents\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Joe\Application Data\0834B
c:\documents and settings\Joe\Application Data\0834B\B0D4.834
c:\documents and settings\Joe\Application Data\abD3oG4Q6W7R9Tq
c:\documents and settings\Joe\Application Data\CEK8fZhXjVOtPyS
c:\documents and settings\Joe\Application Data\gx0Sbp5Qd8h
c:\documents and settings\Joe\Application Data\gx0Sbp5Qd8h\AV Protection 2011.ico
c:\documents and settings\Joe\Application Data\iTjCkVzAuSoFpsJ
c:\documents and settings\Joe\Application Data\KCekIrzNx1v2b4m
c:\documents and settings\Joe\Application Data\KCekIrzNx1v2b4m\AV Protection 2011.ico
c:\documents and settings\Joe\Application Data\L9gTXqjUCkBzNx
c:\documents and settings\Joe\Application Data\QrONx0c2b3n5Q6K
c:\documents and settings\Joe\Application Data\SD2onF4pm5W7TYl
c:\documents and settings\Joe\Application Data\UKLXeryuopsdgh
c:\documents and settings\Joe\Application Data\wL9hTwUeIt
c:\documents and settings\Joe\Application Data\wL9hTwUeIt\AV Protection 2011.ico
c:\documents and settings\Joe\Application Data\wVelOx0Sio
c:\documents and settings\Joe\Application Data\ZmG5lyHLCNuopsR
c:\program files\4B0D4
c:\windows\help\wmplayer.bak
.
.
((((((((((((((((((((((((( Files Created from 2011-10-26 to 2011-11-26 )))))))))))))))))))))))))))))))
.
.
2011-11-23 20:06 . 2011-11-23 20:06 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin6.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin5.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin4.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin3.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin2.dll
2011-10-27 21:00 . 2011-10-27 21:00 159744 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin.dll
2011-10-27 20:57 . 2011-10-27 21:00 -------- d-----w- c:\program files\QuickTime
2011-10-27 20:16 . 2011-10-27 20:16 -------- d-----w- c:\program files\iPod
2011-10-27 20:16 . 2011-10-27 20:21 -------- d-----w- c:\program files\iTunes
2011-10-27 20:00 . 2011-10-27 20:00 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-10-27 19:57 . 2011-10-27 19:57 -------- d-----w- c:\program files\Bonjour
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-18 05:28 . 2011-09-10 18:22 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22 . 2002-08-29 10:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-08-29 10:40 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2001-08-18 05:36 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2001-08-18 05:35 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2002-08-29 09:14 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-31 23:00 . 2011-06-28 04:28 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 04:05 . 2011-08-31 04:05 83816 ----a-w- c:\windows\system32\dns-sd.exe
2011-08-31 04:05 . 2011-08-31 04:05 73064 ----a-w- c:\windows\system32\dnssd.dll
2011-08-31 04:05 . 2011-08-31 04:05 50536 ----a-w- c:\windows\system32\jdns_sd.dll
2011-08-31 04:05 . 2011-08-31 04:05 178536 ----a-w- c:\windows\system32\dnssdX.dll
2011-09-30 22:52 . 2011-03-26 22:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-04-14 19:01 . 2011-03-27 01:01 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2011-06-28 1195408]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-12-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dawn B^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Dawn B\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-06-06 17:55 937920 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-09-27 12:22 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
2011-01-24 01:00 148280 ----a-w- c:\program files\Lexmark Pro200-S500 Series\ezprint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FlashPlayerUpdate]
2011-09-10 18:22 247968 ----a-w- c:\windows\system32\Macromed\Flash\FlashUtil11b_Plugin.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-10-09 23:06 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2011-03-25 23:58 32768 ----a-w- c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark Pro200-S500 Series Fax Server]
2011-01-24 01:00 316072 ----a-w- c:\program files\Lexmark Pro200-S500 Series\fm3032.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2005-01-18 23:07 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2005-01-18 23:47 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2005-01-18 23:37 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-10-08 17:52 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxebmon.exe]
2011-01-24 01:00 770728 ----a-w- c:\program files\Lexmark Pro200-S500 Series\lxebmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-08-31 23:00 449608 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
2011-06-28 12:01 1195408 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 03:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NetFxUpdate_v1.1.4322]
2004-08-10 21:20 106496 ----a-w- c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-24 21:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 17:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2011-12-19 01:12 4617600 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Common Files\\Mcafee\\McSvcHost\\McSvHost.exe"=
"c:\\WINDOWS\\system32\\lxebcoms.exe"=
"c:\\Program Files\\Abbyy FineReader 6.0 Sprint\\Scan\\ScanMan6.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [3/26/2011 2:35 PM 84200]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 12:25 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67664]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [3/26/2011 2:35 PM 56064]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/27/2011 10:28 PM 22216]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [3/26/2011 2:35 PM 314088]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 2:35 PM 88736]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [3/26/2011 2:35 PM 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [3/26/2011 2:35 PM 84488]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.my.yahoo.com
mSearch Bar = hxxp://go.compaq.com/1Q00CDT/0409/bl8.asp
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Dawn B\Application Data\Mozilla\Firefox\Profiles\9jqu77q9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.att.net/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-26 01:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,be,2f,41,19,e6,8e,4e,b4,bd,b8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,be,2f,41,19,e6,8e,4e,b4,bd,b8,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(980)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2011-11-26 01:12:47
ComboFix-quarantined-files.txt 2011-11-26 07:12
ComboFix2.txt 2011-11-25 06:04
.
Pre-Run: 20,083,576,832 bytes free
Post-Run: 20,095,373,312 bytes free
.
- - End Of File - - 25FBE2132A34352762B139D28FB9F2D0

Broni · Nov 26, 2011

Good

How is computer doing?

Download OTL to your Desktop.

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Click the Scan All Users checkbox.
Under the Custom Scan box paste this in:

netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%systemroot%\AppPatch\Custom\*.*
%APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
%PROGRAMFILES%\PC-Doctor\Downloads\*.*
%PROGRAMFILES%\Internet Explorer\*.tmp
%PROGRAMFILES%\Internet Explorer\*.dat
%USERPROFILE%\My Documents\*.exe
%USERPROFILE%\*.exe
%systemroot%\ADDINS\*.*
%systemroot%\assembly\*.bak2
%systemroot%\Config\*.*
%systemroot%\REPAIR\*.bak2
%systemroot%\SECURITY\Database\*.sdb /x
%systemroot%\SYSTEM\*.bak2
%systemroot%\Web\*.bak2
%systemroot%\Driver Cache\*.*
%PROGRAMFILES%\Mozilla Firefox\0*.exe
%ProgramFiles%\Microsoft Common\*.*
%ProgramFiles%\TinyProxy.
%USERPROFILE%\Favorites\*.url /x
%systemroot%\system32\*.bk
%systemroot%\*.te
%systemroot%\system32\system32\*.*
%ALLUSERSPROFILE%\*.dat /x
%systemroot%\system32\drivers\*.rmv
dir /b "%systemroot%\system32\*.exe" | find /i " " /c
dir /b "%systemroot%\*.exe" | find /i " " /c
%PROGRAMFILES%\Microsoft\*.*
%systemroot%\System32\Wbem\proquota.exe
%PROGRAMFILES%\Mozilla Firefox\*.dat
%USERPROFILE%\Cookies\*.txt /x
%SystemRoot%\system32\fonts\*.*
%systemroot%\system32\winlog\*.*
%systemroot%\system32\Language\*.*
%systemroot%\system32\Settings\*.*
%systemroot%\system32\*.quo
%SYSTEMROOT%\AppPatch\*.exe
%SYSTEMROOT%\inf\*.exe
%SYSTEMROOT%\Installer\*.exe
%systemroot%\system32\config\*.bak2
%systemroot%\system32\Computers\*.*
%SystemRoot%\system32\Sound\*.*
%SystemRoot%\system32\SpecialImg\*.*
%SystemRoot%\system32\code\*.*
%SystemRoot%\system32\draft\*.*
%SystemRoot%\system32\MSSSys\*.*
%ProgramFiles%\Javascript\*.*
%systemroot%\pchealth\helpctr\System\*.exe /s
%systemroot%\Web\*.exe
%systemroot%\system32\msn\*.*
%systemroot%\system32\*.tro
%AppData%\Microsoft\Installer\msupdates\*.*
%ProgramFiles%\Messenger\*.*
%systemroot%\system32\systhem32\*.*
%systemroot%\system\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
/md5stop

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

mcIrishgurl · Nov 26, 2011

OTL logfile created on: 11/26/2011 11:45:10 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dawn B\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.74 Gb Available Physical Memory | 59.68% Memory free
2.96 Gb Paging File | 2.45 Gb Available in Paging File | 82.54% Paging File free
Paging file location(s): C:\pagefile.sys 1908 3816 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 18.71 Gb Free Space | 50.21% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: Dawn B | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/12/18 19:12:14 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
PRC - [2011/11/26 11:42:55 | 000,584,192 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn B\My Documents\Downloads\OTL.exe
PRC - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2011/06/28 06:01:30 | 001,195,408 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2011/04/14 13:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mfefire.exe
PRC - [2011/04/14 13:01:38 | 000,171,168 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\SystemCore\mcshield.exe
PRC - [2011/04/14 13:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\mfevtps.exe
PRC - [2010/04/14 13:56:01 | 000,598,696 | ---- | M] ( ) -- C:\WINDOWS\system32\lxebcoms.exe
PRC - [2010/04/14 13:55:54 | 000,193,192 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxebserv.exe
PRC - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
PRC - [2010/01/15 06:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2008/04/13 18:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe

========== Modules (No Company Name) ==========

MOD - [2011/06/24 21:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 21:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2010/02/05 12:27:45 | 001,291,776 | ---- | M] () -- C:\WINDOWS\system32\quartz.dll
MOD - [2009/12/31 00:16:47 | 000,049,152 | ---- | M] () -- C:\WINDOWS\system32\LXEBPMON.DLL
MOD - [2009/11/09 02:06:45 | 000,159,744 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxebprpr.dll
MOD - [2009/11/04 07:14:38 | 000,165,376 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxebdrui.dll
MOD - [2009/11/04 07:14:19 | 000,157,696 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxebdrpp.dll
MOD - [2009/11/04 07:14:06 | 000,236,032 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxebdr.dll
MOD - [2009/10/30 11:47:14 | 001,003,520 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxebhpec.dll
MOD - [2009/05/27 06:16:50 | 000,192,512 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxebdatr.dll
MOD - [2009/05/18 07:29:08 | 000,819,200 | ---- | M] () -- C:\WINDOWS\system32\spool\drivers\w32x86\3\lxebptpc.dll
MOD - [2009/02/20 02:48:43 | 000,023,552 | ---- | M] () -- C:\WINDOWS\system32\LXEBsmr.dll
MOD - [2009/02/20 02:48:03 | 000,299,008 | ---- | M] () -- C:\WINDOWS\system32\LXEBsm.dll
MOD - [2009/01/13 07:15:12 | 004,485,120 | ---- | M] () -- C:\WINDOWS\system32\LXEBoem.dll
MOD - [2008/04/13 18:11:59 | 000,014,336 | ---- | M] () -- C:\WINDOWS\system32\msdmo.dll
MOD - [2008/04/13 18:11:51 | 000,059,904 | ---- | M] () -- C:\WINDOWS\system32\devenum.dll

========== Win32 Services (SafeList) ==========

SRV - File not found [On_Demand | Stopped] -- -- (AppMgmt)
SRV - [2011/12/18 19:12:14 | 000,116,608 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE.EXE -- (!SASCORE)
SRV - [2011/08/31 17:00:48 | 000,366,152 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2011/04/14 13:01:38 | 000,188,136 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe -- (mfefire)
SRV - [2011/04/14 13:01:38 | 000,171,168 | ---- | M] () [Unknown | Running] -- C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe -- (McShield)
SRV - [2011/04/14 13:01:38 | 000,141,792 | ---- | M] (McAfee, Inc.) [Unknown | Running] -- C:\WINDOWS\system32\mfevtps.exe -- (mfevtp)
SRV - [2010/10/07 19:34:28 | 000,364,216 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2010/04/14 13:56:01 | 000,598,696 | ---- | M] ( ) [Auto | Running] -- C:\WINDOWS\System32\lxebcoms.exe -- (lxeb_device)
SRV - [2010/04/14 13:55:54 | 000,193,192 | ---- | M] () [Auto | Running] -- C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxebserv.exe -- (lxebCATSCustConnectService)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McProxy)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNASvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McNaiAnn)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (mcmscsvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McMPFSvc)
SRV - [2010/03/10 09:14:44 | 000,271,480 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe -- (McAfee SiteAdvisor Service)
SRV - [2010/01/15 06:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (catchme)
DRV - [2011/12/18 19:10:52 | 000,067,664 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2011/12/18 19:10:49 | 000,012,880 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS -- (SASDIFSV)
DRV - [2011/08/31 17:00:50 | 000,022,216 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2011/04/14 13:01:38 | 000,387,480 | ---- | M] (McAfee, Inc.) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2011/04/14 13:01:38 | 000,314,088 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfefirek.sys -- (mfefirek)
DRV - [2011/04/14 13:01:38 | 000,153,280 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2011/04/14 13:01:38 | 000,095,824 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfeapfk.sys -- (mfeapfk)
DRV - [2011/04/14 13:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendiskmp)
DRV - [2011/04/14 13:01:38 | 000,088,736 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mfendisk.sys -- (mfendisk)
DRV - [2011/04/14 13:01:38 | 000,084,488 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mferkdet.sys -- (mferkdet)
DRV - [2011/04/14 13:01:38 | 000,084,200 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\mfetdi2k.sys -- (mfetdi2k)
DRV - [2011/04/14 13:01:38 | 000,056,064 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\cfwids.sys -- (cfwids)
DRV - [2011/04/14 13:01:38 | 000,052,320 | ---- | M] (McAfee, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2010/04/28 06:44:02 | 000,054,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2008/04/13 13:21:00 | 000,162,816 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\netbt.sys -- (NetBT)
DRV - [2007/04/26 08:23:44 | 000,988,032 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DPV.sys -- (HSF_DPV)
DRV - [2007/04/26 08:23:08 | 000,267,520 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2007/04/26 08:23:04 | 000,731,136 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2006/01/20 18:02:40 | 000,013,440 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\L8042Kbd.sys -- (L8042Kbd)
DRV - [2005/01/31 04:20:03 | 000,211,712 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LV561AV.SYS -- (PID_0928) Logitech QuickCam Express(PID_0928)
DRV - [2005/01/31 04:12:46 | 000,022,016 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/08/03 23:29:49 | 000,019,455 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wvchntxx.sys -- (iAimFP4)
DRV - [2004/08/03 23:29:47 | 000,012,063 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wsiintxx.sys -- (iAimFP3)
DRV - [2004/08/03 23:29:45 | 000,023,615 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wch7xxnt.sys -- (iAimTV4)
DRV - [2004/08/03 23:29:43 | 000,033,599 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv04nt.sys -- (iAimTV3)
DRV - [2004/08/03 23:29:42 | 000,019,551 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv02nt.sys -- (iAimTV1)
DRV - [2004/08/03 23:29:41 | 000,029,311 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\watv01nt.sys -- (iAimTV0)
DRV - [2004/08/03 23:29:37 | 000,012,415 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv01nt.sys -- (iAimFP0)
DRV - [2004/08/03 23:29:37 | 000,012,127 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv02nt.sys -- (iAimFP1)
DRV - [2004/08/03 23:29:37 | 000,011,775 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\wadv05nt.sys -- (iAimFP2)
DRV - [2004/08/03 23:29:36 | 000,161,020 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\i81xnt5.sys -- (i81x)
DRV - [2003/07/29 15:47:32 | 000,043,136 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\bcm4sbxp.sys -- (bcm4sbxp)
DRV - [2002/04/04 00:32:06 | 000,028,416 | R--- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\DRIVERS\symmpi.sys -- (Symmpi)
DRV - [2001/08/17 15:28:12 | 000,488,383 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_V124.sys -- (V124)
DRV - [2001/08/17 15:28:12 | 000,050,751 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_TONE.sys -- (Tones)
DRV - [2001/08/17 15:28:10 | 000,542,879 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_MSFT.sys -- (hsf_msft)
DRV - [2001/08/17 15:28:10 | 000,057,471 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_SAMP.sys -- (Rksample)
DRV - [2001/08/17 15:28:08 | 000,391,199 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_K56K.sys -- (K56)
DRV - [2001/08/17 15:28:06 | 000,289,887 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FALL.sys -- (Fallback)
DRV - [2001/08/17 15:28:06 | 000,199,711 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FAXX.sys -- (SoftFax)
DRV - [2001/08/17 15:28:06 | 000,115,807 | ---- | M] (Conexant) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\HSF_FSKS.sys -- (Fsks)
DRV - [2001/08/17 15:28:04 | 000,067,167 | ---- | M] (Conexant) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\HSF_BSC2.sys -- (basic2)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp

IE - HKU\.DEFAULT\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "AutoConfigURL" = http://autoconfig.cpqcorp.net

IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://att.my.yahoo.com
IE - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://go.compaq.com/1Q00CDT/0409/bl8.asp
IE - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
IE - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.att.net/"
FF - prefs.js..network.proxy.type: 0

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8117.0416: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2011/11/17 18:52:57 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/10/27 15:00:10 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 7.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins

[2011/03/26 16:46:27 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dawn B\Application Data\Mozilla\Extensions
[2011/11/18 23:03:43 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Dawn B\Application Data\Mozilla\Firefox\Profiles\9jqu77q9.default\extensions
[2011/11/18 23:03:43 | 000,000,000 | ---D | M] (WOT) -- C:\Documents and Settings\Dawn B\Application Data\Mozilla\Firefox\Profiles\9jqu77q9.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2011/07/19 22:17:21 | 000,002,306 | ---- | M] () -- C:\Documents and Settings\Dawn B\Application Data\Mozilla\Firefox\Profiles\9jqu77q9.default\searchplugins\wot-safe-search.xml
[2011/07/01 00:39:26 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2011/07/01 00:39:28 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
() (No name found) -- C:\DOCUMENTS AND SETTINGS\DAWN B\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\9JQU77Q9.DEFAULT\EXTENSIONS\{D10D0BF8-F5B5-C8B4-A8B2-2B9879E08C5D}.XPI
[2011/07/01 00:38:30 | 000,000,000 | ---D | M] (Java Quick Starter) -- C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF
[2011/11/17 18:52:57 | 000,000,000 | ---D | M] (McAfee SiteAdvisor) -- C:\PROGRAM FILES\MCAFEE\SITEADVISOR
[2011/03/26 06:16:39 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION
[2011/09/30 16:52:33 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/04/14 13:01:38 | 000,024,376 | ---- | M] (McAfee, Inc.) -- C:\Program Files\mozilla firefox\components\Scriptff.dll
[2010/01/01 02:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml

O1 HOSTS File: ([2011/11/26 01:06:47 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\Common Files\Mcafee\SystemCore\ScriptSn.20110509214019.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007\..\Toolbar\ShellBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O3 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007\..\Toolbar\WebBrowser: (Lexmark Toolbar) - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll ()
O4 - HKLM..\Run: [mcui_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk = C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (McAfee, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: EditLevel = 0
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoFileMenu = 0
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCommonGroups = 0
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1301098716453 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1301103901046 (MUWebControl Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{5552D5E7-8E2B-4EFD-8EB1-1188DC6F16FF}: DhcpNameServer = 192.168.2.1
O18 - Protocol\Handler\bw+0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw+0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw-0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw00 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw00s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw-0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw10 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw10s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw20 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw20s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw30 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw30s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw40 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw40s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw50 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw50s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw60 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw60s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw70 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw70s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw80 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw80s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw90 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bw90s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwa0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwa0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwb0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwb0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwc0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwc0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwd0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwd0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwe0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwe0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwf0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwf0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwg0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwg0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwh0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwh0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwi0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwi0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwj0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwj0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwk0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwk0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwl0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwl0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwm0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwm0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwn0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwn0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwo0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwo0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwp0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwp0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwq0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwq0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwr0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwr0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bws0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bws0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwt0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwt0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwu0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwu0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwv0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwv0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bww0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bww0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwx0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwx0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwy0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwy0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwz0 {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\bwz0s {08396647-5a35-4510-8f19-10eee8b129a5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\offline-8876480 {08396647-5A35-4510-8F19-10EEE8B129A5} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll (BackWeb Technologies Inc. )
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) -Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) -C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-3290618298-3779888089-3528686488-1007 Winlogon: Shell - (EXPLORER.EXE) -EXPLORER.EXE (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - (C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL) - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\Dawn B\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Dawn B\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: AppMgmt - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

Drivers32: msacm.l3acm - C:\WINDOWS\system32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.sl_anet - C:\WINDOWS\System32\sl_anet.acm (Sipro Lab Telecom Inc.)
Drivers32: msacm.trspch - C:\WINDOWS\System32\tssoft32.acm (DSP GROUP, INC.)
Drivers32: MSVideo - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: MSVideo8 - C:\WINDOWS\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\WINDOWS\System32\iccvid.dll (Radius Inc.)
Drivers32: VIDC.I420 - C:\WINDOWS\System32\lvcodec2.dll (Logitech Inc.)
Drivers32: vidc.iv31 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv32 - C:\WINDOWS\System32\ir32_32.dll ()
Drivers32: vidc.iv41 - C:\WINDOWS\System32\ir41_32.ax (Intel Corporation)
Drivers32: vidc.iv50 - C:\WINDOWS\System32\ir50_32.dll (Intel Corporation)
Drivers32: wave1 - C:\WINDOWS\System32\serwvdrv.dll (Microsoft Corporation)

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2011/11/26 00:44:24 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2011/11/24 23:50:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\McAfee
[2011/11/24 23:15:14 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2011/11/24 23:15:14 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2011/11/24 23:15:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2011/11/24 23:14:28 | 000,000,000 | ---D | C] -- C:\Qoobox
[2011/11/22 22:17:49 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Dawn B\Recent
[2011/11/22 19:04:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/11/22 15:08:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/11/22 15:08:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/10/27 14:59:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\QuickTime
[2011/10/27 14:57:23 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2011/10/27 14:21:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\iTunes
[2011/10/27 14:16:43 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2011/10/27 14:16:25 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2011/10/27 14:00:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Apple Computer
[2011/10/27 13:57:04 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2011/05/17 17:58:14 | 000,442,368 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcoin.dll
[2011/05/17 17:51:49 | 000,356,352 | ---- | C] ( ) -- C:\WINDOWS\System32\LXEBhcp.dll
[2011/05/17 17:51:48 | 000,847,872 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebusb1.dll
[2011/05/17 17:51:48 | 000,364,544 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebinpa.dll
[2011/05/17 17:51:48 | 000,344,064 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebiesc.dll
[2011/05/17 17:51:47 | 001,048,576 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebserv.dll
[2011/05/17 17:51:47 | 000,643,072 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebpmui.dll
[2011/05/17 17:51:47 | 000,577,536 | ---- | C] ( ) -- C:\WINDOWS\System32\lxeblmpm.dll
[2011/05/17 17:51:45 | 000,688,128 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebhbn3.dll
[2011/05/17 17:51:45 | 000,324,264 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebih.exe
[2011/05/17 17:51:43 | 000,802,816 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcomc.dll
[2011/05/17 17:51:43 | 000,598,696 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcoms.exe
[2011/05/17 17:51:43 | 000,372,736 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcomm.dll
[2011/05/17 17:51:42 | 000,373,416 | ---- | C] ( ) -- C:\WINDOWS\System32\lxebcfg.exe

========== Files - Modified Within 30 Days ==========

[2011/11/26 01:06:47 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/11/24 23:50:44 | 000,001,595 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2011/11/24 23:50:04 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/11/24 23:50:03 | 1333,317,632 | -HS- | M] () -- C:\hiberfil.sys
[2011/11/24 20:23:49 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/11/24 11:33:06 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2011/11/24 00:00:21 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2011/11/23 13:13:27 | 000,000,000 | ---- | M] () -- C:\WINDOWS\System32\S0708ML.com.b
[2011/11/23 13:13:02 | 000,000,112 | ---- | M] () -- C:\Documents and Settings\All Users\Application Data\io2guibM.dat
[2011/11/22 21:27:17 | 000,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/11/17 18:50:05 | 000,441,800 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2011/11/17 18:50:05 | 000,072,008 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2011/10/27 15:22:44 | 000,000,682 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\CCleaner.lnk
[2011/10/27 14:59:41 | 000,001,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/10/27 14:21:28 | 000,001,542 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk

mcIrishgurl · Nov 26, 2011

========== Files Created - No Company Name ==========

[2011/11/24 23:15:14 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2011/11/24 23:15:14 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2011/11/24 23:15:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2011/11/24 23:15:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2011/11/24 23:15:14 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2011/11/24 22:37:33 | 1333,317,632 | -HS- | C] () -- C:\hiberfil.sys
[2011/11/23 13:13:27 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\S0708ML.com.b
[2011/11/23 13:05:57 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\io2guibM.dat
[2011/11/23 05:20:24 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/10/27 14:59:41 | 000,001,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\QuickTime Player.lnk
[2011/10/27 14:21:28 | 000,001,542 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2011/06/18 09:35:20 | 000,000,348 | ---- | C] () -- C:\WINDOWS\hegames.ini
[2011/05/17 17:58:22 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxebvs.dll
[2011/05/17 17:57:58 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\lxebgcfg.dll
[2011/05/17 17:57:57 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\lxebcuir.dll
[2011/05/17 17:57:56 | 000,294,912 | ---- | C] () -- C:\WINDOWS\System32\lxebcui.dll
[2011/05/17 17:55:26 | 000,049,152 | ---- | C] () -- C:\WINDOWS\System32\LXEBPMON.DLL
[2011/05/17 17:55:26 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\LXEBFXPU.DLL
[2011/05/17 17:55:25 | 004,485,120 | ---- | C] () -- C:\WINDOWS\System32\LXEBoem.dll
[2011/05/17 17:51:49 | 000,331,776 | ---- | C] () -- C:\WINDOWS\System32\LXEBinst.dll
[2011/05/17 17:51:46 | 000,323,584 | ---- | C] () -- C:\WINDOWS\System32\lxebins.dll
[2011/05/17 17:51:46 | 000,262,144 | ---- | C] () -- C:\WINDOWS\System32\lxebinsb.dll
[2011/05/17 17:51:46 | 000,106,496 | ---- | C] () -- C:\WINDOWS\System32\lxebinsr.dll
[2011/05/17 17:51:46 | 000,057,344 | ---- | C] () -- C:\WINDOWS\System32\lxebjswr.dll
[2011/05/17 17:51:45 | 000,208,896 | ---- | C] () -- C:\WINDOWS\System32\lxebgrd.dll
[2011/05/17 17:51:44 | 000,253,952 | ---- | C] () -- C:\WINDOWS\System32\lxebcu.dll
[2011/05/17 17:51:44 | 000,090,112 | ---- | C] () -- C:\WINDOWS\System32\lxebcub.dll
[2011/05/17 17:51:44 | 000,036,864 | ---- | C] () -- C:\WINDOWS\System32\lxebcur.dll
[2011/05/17 17:30:22 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\LXEBsmr.dll
[2011/05/17 17:30:21 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\LXEBsm.dll
[2011/04/08 12:10:53 | 000,003,654 | ---- | C] () -- C:\WINDOWS\System32\drivers\Sonyhcp.dll
[2011/04/05 17:23:47 | 000,005,632 | ---- | C] () -- C:\Documents and Settings\Dawn B\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/03/28 16:44:22 | 000,000,129 | ---- | C] () -- C:\Documents and Settings\Dawn B\Local Settings\Application Data\fusioncache.dat
[2011/03/28 16:10:35 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2011/03/26 16:45:54 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/03/25 20:17:53 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2011/03/25 20:09:43 | 000,001,056 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2011/03/25 19:50:23 | 000,004,605 | ---- | C] () -- C:\WINDOWS\System32\oembios.dat
[2011/03/25 19:50:17 | 013,107,200 | ---- | C] () -- C:\WINDOWS\System32\oembios.bin
[2011/03/25 19:50:13 | 000,000,741 | ---- | C] () -- C:\WINDOWS\System32\noise.dat
[2011/03/25 19:48:52 | 000,001,804 | ---- | C] () -- C:\WINDOWS\System32\dcache.bin
[2011/03/25 18:44:52 | 000,004,569 | ---- | C] () -- C:\WINDOWS\System32\secupd.dat
[2011/03/25 18:01:35 | 000,009,255 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2011/03/25 17:52:36 | 000,053,248 | R--- | C] () -- C:\WINDOWS\System32\InstMed.exe
[2011/03/25 17:31:53 | 000,000,260 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2003/05/19 19:05:28 | 000,224,024 | ---- | C] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2003/05/19 19:00:48 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2003/05/19 18:57:14 | 000,021,640 | ---- | C] () -- C:\WINDOWS\System32\emptyregdb.dat
[2003/05/19 18:56:46 | 000,441,800 | ---- | C] () -- C:\WINDOWS\System32\perfh009.dat
[2003/05/19 18:56:46 | 000,072,008 | ---- | C] () -- C:\WINDOWS\System32\perfc009.dat
[2003/05/19 12:10:14 | 000,002,048 | --S- | C] () -- C:\WINDOWS\bootstat.dat
[2003/01/07 14:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/08/29 03:01:58 | 000,162,816 | ---- | C] () -- C:\WINDOWS\System32\drivers\netbt.sys
[2001/08/17 14:30:26 | 000,272,128 | ---- | C] () -- C:\WINDOWS\System32\perfi009.dat
[2001/08/17 14:30:26 | 000,028,626 | ---- | C] () -- C:\WINDOWS\System32\perfd009.dat
[2001/08/17 14:15:40 | 000,046,258 | ---- | C] () -- C:\WINDOWS\System32\mib.bin
[2001/07/21 15:36:50 | 000,218,003 | ---- | C] () -- C:\WINDOWS\System32\dssec.dat
[2001/07/21 15:36:06 | 000,673,088 | ---- | C] () -- C:\WINDOWS\System32\mlang.dat
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2011/03/25 17:42:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\BVRP Software
[2011/04/10 00:58:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FileCure
[2011/06/17 12:27:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Lexmark Pro200-S500 Series
[2011/05/17 17:55:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Pro200-S500 Series
[2011/04/19 23:37:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2011/03/25 17:53:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn B\Application Data\FotoWire
[2011/05/18 13:12:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn B\Application Data\Pro200-S500 Series
[2011/04/07 00:39:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Dawn B\Application Data\Template
[2011/06/02 07:44:10 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Joe\Application Data\Pro200-S500 Series

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2011/05/05 19:46:24 | 000,000,211 | ---- | M] () -- C:\Boot.bak
[2011/06/28 13:44:28 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2004/08/03 22:00:00 | 000,260,272 | RHS- | M] () -- C:\cmldr
[2011/11/26 01:12:50 | 000,015,300 | ---- | M] () -- C:\ComboFix.txt
[2011/08/30 11:29:04 | 000,000,272 | ---- | M] () -- C:\faxfile.log
[2011/11/24 23:50:03 | 1333,317,632 | -HS- | M] () -- C:\hiberfil.sys
[2011/06/18 09:35:16 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2011/03/25 17:51:52 | 000,000,183 | ---- | M] () -- C:\LogiSetup.log
[2011/06/18 09:35:16 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2011/03/25 18:53:42 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2011/03/25 21:43:07 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2011/07/08 15:16:35 | 000,262,144 | ---- | M] () -- C:\ntuser.dat
[2011/08/11 12:10:00 | 000,001,024 | -H-- | M] () -- C:\ntuser.dat.LOG
[2011/11/24 23:50:01 | 2000,683,008 | -HS- | M] () -- C:\pagefile.sys
[2011/03/25 17:42:45 | 000,000,168 | ---- | M] () -- C:\setupfax.log

< %systemroot%\Fonts\*.com >
[2006/04/18 14:39:28 | 000,026,040 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/06/29 13:53:56 | 000,026,489 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 000,029,779 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/06/29 13:58:52 | 000,030,808 | ---- | M] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2003/05/19 12:00:12 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2008/07/06 06:06:10 | 000,089,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
[2009/11/04 07:14:19 | 000,157,696 | ---- | M] () -- C:\WINDOWS\system32\spool\prtprocs\w32x86\lxebdrpp.dll
[2007/04/09 12:23:54 | 000,028,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
[2008/07/06 04:50:03 | 000,597,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
[2002/05/14 16:50:34 | 000,011,264 | ---- | M] (BVRP Software) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\wfxprint2000.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >
[2010/04/16 23:04:40 | 000,306,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WLXPGSS.SCR

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2003/05/19 11:48:54 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2003/05/19 11:48:54 | 000,602,112 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2003/05/19 11:48:54 | 000,376,832 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.lnk /x >
[2011/03/25 21:49:10 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x >
[2011/03/25 19:26:23 | 000,000,177 | -HS- | M] () -- C:\Documents and Settings\Dawn B\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
[2011/03/25 17:27:02 | 000,000,079 | ---- | M] () -- C:\Documents and Settings\Dawn B\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf

< %USERPROFILE%\Desktop\*.exe >

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< %systemroot%\AppPatch\Custom\*.* >

< %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x >

< %PROGRAMFILES%\PC-Doctor\Downloads\*.* >

< %PROGRAMFILES%\Internet Explorer\*.tmp >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %USERPROFILE%\My Documents\*.exe >
[2011/07/05 16:49:30 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Dawn B\My Documents\TFC.exe

< %USERPROFILE%\*.exe >

< %systemroot%\ADDINS\*.* >

< %systemroot%\assembly\*.bak2 >

< %systemroot%\Config\*.* >

< %systemroot%\REPAIR\*.bak2 >

< %systemroot%\SECURITY\Database\*.sdb /x >

< %systemroot%\SYSTEM\*.bak2 >

< %systemroot%\Web\*.bak2 >

< %systemroot%\Driver Cache\*.* >

< %PROGRAMFILES%\Mozilla Firefox\0*.exe >

< %ProgramFiles%\Microsoft Common\*.* >

< %ProgramFiles%\TinyProxy. >

< %USERPROFILE%\Favorites\*.url /x >
[2011/03/25 19:26:23 | 000,000,122 | -HS- | M] () -- C:\Documents and Settings\Dawn B\Favorites\Desktop.ini

< %systemroot%\system32\*.bk >

< %systemroot%\*.te >

< %systemroot%\system32\system32\*.* >

< %ALLUSERSPROFILE%\*.dat /x >
[2011/05/17 17:43:04 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\cmn_upld.log
[2011/05/17 19:55:05 | 000,000,252 | ---- | M] () -- C:\Documents and Settings\All Users\FastPics.log
[2011/09/13 16:05:33 | 000,000,336 | ---- | M] () -- C:\Documents and Settings\All Users\lxeb.log
[2011/08/18 22:47:51 | 000,000,614 | ---- | M] () -- C:\Documents and Settings\All Users\lxebDiagnostics.log
[2011/08/22 09:23:56 | 000,040,027 | ---- | M] () -- C:\Documents and Settings\All Users\lxebJSW.log
[2011/11/10 16:00:07 | 000,020,080 | ---- | M] () -- C:\Documents and Settings\All Users\lxebscan.log
[2011/05/17 17:43:04 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\LxWbGwLog.log
[2011/05/17 17:42:07 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\All Users\UpdaterLog.txt

< %systemroot%\system32\drivers\*.rmv >

< dir /b "%systemroot%\system32\*.exe" | find /i " " /c >

< dir /b "%systemroot%\*.exe" | find /i " " /c >

< %PROGRAMFILES%\Microsoft\*.* >

< %systemroot%\System32\Wbem\proquota.exe >

< %PROGRAMFILES%\Mozilla Firefox\*.dat >

< %USERPROFILE%\Cookies\*.txt /x >
[2011/11/26 07:43:01 | 000,098,304 | ---- | M] () -- C:\Documents and Settings\Dawn B\Cookies\index.dat

< %SystemRoot%\system32\fonts\*.* >

< %systemroot%\system32\winlog\*.* >

< %systemroot%\system32\Language\*.* >

< %systemroot%\system32\Settings\*.* >

< %systemroot%\system32\*.quo >

< %SYSTEMROOT%\AppPatch\*.exe >

< %SYSTEMROOT%\inf\*.exe >
[2007/06/26 21:10:26 | 000,317,440 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\inf\unregmp2.exe

< %SYSTEMROOT%\Installer\*.exe >

< %systemroot%\system32\config\*.bak2 >

< %systemroot%\system32\Computers\*.* >

< %SystemRoot%\system32\Sound\*.* >

< %SystemRoot%\system32\SpecialImg\*.* >

< %SystemRoot%\system32\code\*.* >

< %SystemRoot%\system32\draft\*.* >

< %SystemRoot%\system32\MSSSys\*.* >

< %ProgramFiles%\Javascript\*.* >

< %systemroot%\pchealth\helpctr\System\*.exe /s >

< %systemroot%\Web\*.exe >

< %systemroot%\system32\msn\*.* >

< %systemroot%\system32\*.tro >

< %AppData%\Microsoft\Installer\msupdates\*.* >

< %ProgramFiles%\Messenger\*.* >
[2008/04/13 18:11:51 | 000,033,792 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\custsat.dll
[2002/08/20 21:29:46 | 000,004,821 | ---- | M] () -- C:\Program Files\Messenger\logowin.gif
[2002/08/20 15:32:18 | 000,007,047 | ---- | M] () -- C:\Program Files\Messenger\lvback.gif
[2002/08/20 15:32:22 | 000,000,807 | ---- | M] () -- C:\Program Files\Messenger\mailtmpl.txt
[2008/05/02 08:01:49 | 000,083,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgsc.dll
[2008/04/13 11:30:28 | 000,180,224 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msgslang.dll
[2008/04/13 18:12:28 | 001,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe
[2002/08/20 18:08:38 | 000,069,663 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgsin.exe
[2002/08/20 21:29:48 | 000,002,882 | ---- | M] () -- C:\Program Files\Messenger\newalert.wav
[2002/08/20 21:30:06 | 000,006,156 | ---- | M] () -- C:\Program Files\Messenger\newemail.wav
[2002/08/20 21:30:06 | 000,006,160 | ---- | M] () -- C:\Program Files\Messenger\online.wav
[2002/08/20 15:32:20 | 000,004,454 | ---- | M] () -- C:\Program Files\Messenger\type.wav
[2004/07/17 12:41:04 | 000,115,981 | ---- | M] () -- C:\Program Files\Messenger\xpmsgr.chm

< %systemroot%\system32\systhem32\*.* >

< %systemroot%\system\*.exe >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\ Auto Update\Results\Install|LastSuccessTime /rs >

< End of report >

mcIrishgurl · Nov 26, 2011

OTL Extras logfile created on: 11/26/2011 11:45:10 AM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Dawn B\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.74 Gb Available Physical Memory | 59.68% Memory free
2.96 Gb Paging File | 2.45 Gb Available in Paging File | 82.54% Paging File free
Paging file location(s): C:\pagefile.sys 1908 3816 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 18.71 Gb Free Space | 50.21% Space Free | Partition Type: NTFS

Computer Name: HOME | User Name: Dawn B | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.url [@ = InternetShortcut] -- rundll32.exe ieframe.dll,OpenURL %l

[HKEY_USERS\S-1-5-21-3290618298-3779888089-3528686488-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger -- (Logitech)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*

isabled:Logitech Desktop Messenger -- (Logitech)
"C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe" = C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe:*:Enabled:McAfee Shared Service Host -- (McAfee, Inc.)
"C:\WINDOWS\system32\lxebcoms.exe" = C:\WINDOWS\system32\lxebcoms.exe:*:Enabled

ro200-S500 Series Server -- ( )
"C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe" = C:\Program Files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:*:Enabled:ABBYY FineReader -- (ABBYY (BIT Software))
"C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe" = C:\Program Files\Common Files\Apple\Apple Application Support\WebKit2WebProcess.exe:*:Enabled:WebKit -- (Apple Inc.)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" = Lexmark Toolbar
"{10812DE7-2E57-4740-B226-6B3BE34AF9D7}" = Lexmark Tools for Office
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216026FF}" = Java(TM) 6 Update 26
"{29ED20C9-5E15-4969-9279-25BF3727A3DA}" = iTunes
"{2E8EAC71-BFE4-417A-88F0-5A1BDFBCF5D3}" = Logitech SetPoint
"{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}" = Windows Live Communications Platform
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}" = Windows Live Essentials
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65962AC4-42C9-4006-97B1-CBB5E8C4E15C}" = Learning Essentials for Microsoft Office
"{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}" = Microsoft Works 7.0
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{79155F2B-9895-49D7-8612-D92580E0DE5B}" = Bonjour
"{7BE15435-2D3E-4B58-867F-9C75BED0208C}" = QuickTime
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Extreme Graphics Driver
"{8E5233E1-7495-44FB-8DEB-4BE906D59619}" = Junk Mail filter update
"{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}" = Logitech Desktop Messenger
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A00B9A50-3090-4CFF-9CDA-82DA0BEDAA21}" = Apple Mobile Device Support
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A83279FD-CA4B-4206-9535-90974DE76654}" = Apple Application Support
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.1)
"{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}" = ABBYY FineReader 6.0 Sprint
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}" = Windows Live Messenger
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C43048A9-742C-4DAD-90D2-E3B53C9DB825}" = Logitech QuickCam Software
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{CE2121C6-C94D-4A73-8EA4-6943F33EE335}" = Picture Package Music Transfer
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D92FF8EB-BD77-40AE-B68B-A6BFC6F8661D}" = Windows Live Family Safety
"{E6158D07-2637-4ECF-B576-37C489669174}" = Windows Live Call
"{EE39FFBD-544E-49E4-A999-6819828EAE91}" = Windows Live Photo Gallery
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F45298E5-0083-426F-A668-1A2C5F04B8A0}" = FaxTools
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_HSF" = PCI SoftV92 Modem
"ie8" = Windows Internet Explorer 8
"Lexmark Pro200-S500 Series" = Lexmark Pro200-S500 Series
"Logitech Print Service" = Logitech Print Service
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware version 1.51.2.1300
"McAfee Security Scan" = McAfee Security Scan Plus
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox 7.0.1 (x86 en-US)" = Mozilla Firefox 7.0.1 (x86 en-US)
"MSC" = McAfee SecurityCenter
"QcDrv" = Logitech® Camera Driver
"SpywareBlaster_is1" = SpywareBlaster 4.4
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"WinLiveSuite_Wave3" = Windows Live Essentials

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 8/18/2011 1:52:42 AM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application SUPERAntiSpyware.exe, version 4.56.0.1000, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/18/2011 1:55:56 AM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application SUPERAntiSpyware.exe, version 4.56.0.1000, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/18/2011 1:56:09 AM | Computer Name = HOME | Source = Application Hang | ID = 1001
Description = Fault bucket -1757544524.

Error - 8/18/2011 1:57:06 AM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application SUPERAntiSpyware.exe, version 4.56.0.1000, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/18/2011 1:58:01 AM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application SUPERAntiSpyware.exe, version 4.56.0.1000, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/18/2011 1:58:53 AM | Computer Name = HOME | Source = Application Hang | ID = 1001
Description = Fault bucket -1757544524.

Error - 8/18/2011 1:59:25 AM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application SUPERAntiSpyware.exe, version 4.56.0.1000, hang
module hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 8/18/2011 1:59:54 AM | Computer Name = HOME | Source = Application Hang | ID = 1001
Description = Fault bucket -1757544524.

Error - 8/18/2011 2:51:33 AM | Computer Name = HOME | Source = Application Hang | ID = 1002
Description = Hanging application TFC.exe, version 3.1.7.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 8/18/2011 2:51:43 AM | Computer Name = HOME | Source = Application Hang | ID = 1001
Description = Fault bucket 1967108785.

[ System Events ]
Error - 11/25/2011 12:47:39 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 11/25/2011 12:47:43 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 11/25/2011 12:56:19 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 11/25/2011 1:03:56 AM | Computer Name = HOME | Source = Service Control Manager | ID = 7023
Description = The Network Location Awareness (NLA) service terminated with the following
error: %%127

Error - 11/25/2011 1:31:06 AM | Computer Name = HOME | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 11/25/2011 1:54:47 AM | Computer Name = HOME | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 11/25/2011 1:58:49 AM | Computer Name = HOME | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

Error - 11/25/2011 3:04:57 PM | Computer Name = HOME | Source = DCOM | ID = 10010
Description = The server {3A185DDE-E020-4985-A8F2-E27CDC4A0F3A} did not register
with DCOM within the required timeout.

Error - 11/25/2011 5:48:32 PM | Computer Name = HOME | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {3A185DDE-E020-4985-A8F2-E27CDC4A0F3A}
as /. The error: "%233" Happened while starting this command: "c:\PROGRA~1\mcafee.com\agent\mcagent.exe"
-Embedding

Error - 11/25/2011 5:51:26 PM | Computer Name = HOME | Source = DCOM | ID = 10010
Description = The server {209500FC-6B45-4693-8871-6296C4843751} did not register
with DCOM within the required timeout.

< End of report >

Solved Possibly infected... unwanted program file attachment... logs attached

Posts: 187 +1

Posts: 187 +1

Posts: 187 +1

Posts: 56,041 +516

Posts: 187 +1

Posts: 187 +1

Posts: 187 +1

Posts: 56,041 +516

Posts: 187 +1

Posts: 187 +1

Posts: 187 +1

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 56,041 +516

Posts: 187 +1

Posts: 187 +1

Posts: 187 +1

Posts: 56,041 +516

Posts: 187 +1

Posts: 56,041 +516

Posts: 187 +1

Posts: 187 +1

Posts: 187 +1

Similar threads