AntivirusXPPro2009 Virus

[scansdale]

Hi,

My kids' PC has been infected by this virus. It has McAffee loaded, which was running and Up-to-date (but it didn't stop the virus). Then 3 days ago, my daughter clicked on a unknown link in MSN and hey presto.

When we boot up the machine we instantly get a message saying that our system is infected and we should purchase software to combat it. The Website for AntivirusPro2009 conveniently pops up.

It looks nasty - taskmgr is deactivated, reedit doesn't run and MS Works doesn't work. I've had a quick search for the Virus files, but could find anything obvious.

Below is the output from DDS.txt

Attached is the zip file attach.txt and ark.txt. The ark.txt file is not complete. After leaving GMER to run for several hours, I got the blue screen of death. So I re-ran it and stopped once it had checked the System.

Hope you can help me.

Regards, Simon.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Simon at 14:23:29.25 on 13/03/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://home.sweetim.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: SweetIM For Internet Explorer: {bc4ffe41-de9f-46fa-b455-aad49b9f9938} - c:\program files\macrogaming\sweetimbarforie\toolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6261\SiteAdv.dll
BHO: SWEETIE Class: {1a0aadcd-3a72-4b5f-900f-e3bb5a838e2a} - c:\progra~1\macrog~1\sweeti~1\toolbar.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: SweetIM For Internet Explorer: {bc4ffe41-de9f-46fa-b455-aad49b9f9938} - c:\program files\macrogaming\sweetimbarforie\toolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6261\SiteAdv.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [Plus Atom] c:\docume~1\simon\applic~1\partju~1\mapidaleshim.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRunOnce: [Microsoft Update] KAV64.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [nwiz] nwiz.exe /install
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Corel Photo Downloader] c:\program files\corel\corel snapfire plus\Corel Photo Downloader.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SiteAdvisor] c:\program files\siteadvisor\6172\SiteAdv.exe
mRun: [One view global this] c:\documents and settings\all users\application data\mpeg else one view\Idle amok.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows UDP Control Center] fxsteller.exe
mRun: [Microsoft Update] KAV64.EXE
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ralink~1.lnk - c:\program files\ralink\common\RaUI.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wg111v~1.lnk - c:\program files\netgear\wg111v2 configuration utility\RtlWake.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: NoDispAppearancePage = 0 (0x0)
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm035YYGB
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\windows\temp\ntdll64.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/ZwinkyInitialSetup1.0.1.1.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/sysreqlab2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6261\SiteAdv.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\simon\applic~1\mozilla\firefox\profiles\vlsmelgi.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\program files\siteadvisor\6261\ff\components\FFHook.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-03-13 13:45 275 a------- C:\dkn.exe
2009-03-13 13:41 93,266 ----h--- c:\windows\system32\kav64.exe
2009-03-13 13:41 93,266 a------- C:\rropt.exe
2009-03-12 21:49 <DIR> --dshr-- C:\RESTORE
2009-03-12 21:49 44,082 a------- C:\niggor.exe
2009-03-11 08:37 <DIR> --d----- c:\windows\system32\kazaabackupfiles
2009-03-10 20:01 104,960 a------- c:\windows\system32\ntdll64.exe
2009-03-10 19:31 446 a------- c:\windows\system32\win32hlp.cnf
2009-03-10 19:30 1,394 a------- c:\windows\system32\ahtn.htm
2009-03-10 19:30 4,785 a------- c:\windows\system32\warning.gif
2009-03-10 19:30 104,960 a------- c:\windows\system32\dllcache\userinit.exe
2009-03-10 19:30 722 a------- c:\windows\system32\test.ttt
2009-03-10 19:30 1 a------- c:\windows\system32\uniq.tll
2009-03-10 19:30 30,720 a------- c:\windows\system32\303369.exe
2009-03-10 18:09 48,690 ---shr-- c:\windows\fxsteller.exe
2009-03-07 17:45 88 ---shr-- c:\windows\system32\41B807F0D2.sys

==================== Find3M ====================

2009-03-10 19:30 104,960 a------- c:\windows\system32\userinit.exe
2009-03-09 20:04 10,510 a------- c:\docume~1\simon\applic~1\wklnhst.dat
2009-03-07 17:46 5,642 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-09 11:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-16 21:35 3,594,752 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-07-13 12:45 0 a------- c:\documents and settings\simon\jagex_runescape_preferences.dat
2008-05-30 14:26 61,224 a------- c:\documents and settings\simon\GoToAssistDownloadHelper.exe
2007-02-20 09:58 32 a----r-- c:\documents and settings\all users\hash.dat
2008-08-21 20:41 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082120080822\index.dat

============= FINISH: 14:23:45.79 ===============

[Billy O'Neal]

Hello, scansdale
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

• In the meantime, please refrain from making any changes to your computer.
• Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Finally, please reply using the button in the lower left hand corner of your screen.
• Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author:

How to run ComboFix:

1. Please download ComboFix from one of the following mirrors, and save it to your desktop.
   • This is a mirror.
   • This is another mirror.
   • This is yet another mirror.
2. Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
3. Double click on your desktop.
4. Read and accept (Press Yes) to the disclaimer.
5. For Windows XP Systems: Install the Recovery Console:
   • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
   • When prompted to accept the EULA, press OK.
   • Accept Microsoft's EULA (Press Yes).
   • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
6. ComboFix will run. Simply wait for it to finish.
7. When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)

NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:

• ComboFix.txt

Billy3

[scansdale]

Hi Bill,

Thanks for helping me out. It looks bad though !!

I saved Combofix to my desktop and ran it. This is what happened :

Issue 1) Got message box "The Application or DLL c:\windows\temp\ntd1164.dll is not a valid Windows image. Please check this against your installation diskette. OK"

I had to hit OK 6 times.

Issue 2) It then said that Mcaffee was running. I tried to disable it (which is not very easy). But Combofix said it was still running. I clicked ok to continue anyway.

Issue 3) Combofix then said it had an issue with rootkit (not sure of the exact message) and would have to reboot.

It asked me record the following files :

c:\windows\system32\drivers\senekampdqvsth.sys
c:\windows\system32\senekapxdkbwru.dll
c:\windows\system32\senekaemowqbww.dat
c:\windows\system32\senekaohsffjik.dll
c:\windows\system32\senekateoewmtk.dll
c:\windows\system32\senekaiboypagr.dat

Issue 4) When it rebooted, it got past the Windows Welcome page. I get the Blue Combofix box with the message "Please wait Combofix is preparing to run..."

Issue 5 ) Then I got the blue screen of death - Memory core dump.

I manually switched off the computer and tried again.

Now when I reboot, I just get to the Blue box (without message) and then it memory core dumps.

Nasty, nasty Virus !!

Cheers, Simon

[Billy O'Neal]

Hello :)

Did you install the recovery console? If not, do you have your Windows Installation media? Is this a Windows Vista or Windows XP machine?

Billy3

[scansdale]

Hello Bill,

Combofix didn't prompt me to install the Recovery Console. It must have re-booted before that stage.

It is Windows XP and I do have the Operating System CD.

Regards, Simon

[Billy O'Neal]

Hello, scansdale
We Need to Perform Operations with the Recovery Console

1. Pop your Windows XP disk into your CD or DVD rom drive, and configure your system to boot to the CD drive. This is usually done using the F10 or F12 keys and selecting the CDRom device from the list, or by entering your BIOS and modifying the boot loader. If you don't know how to do any of this, try skipping to the next step. If your machine doesn't boot to the CD, reply here with the exact make and model of your computer and I'll get you more exact instructions.
2. If you've done that correctly, you'll see this:
   
3. Press any key to start Windows Setup (Don't worry.. we're not actually using setup at this point)
4. Wait a while for setup to start, until you see the following screen. Press the R key.
   
5. Wait until you see this screen, and enter the number of your main installation. (Typically 1 for C:\Windows)
   
6. Press Enter.
7. If prompted to do so, enter your Administrator password. If you don't have one, leave it blank and press enter.
8. Enter the following code line by line, being careful about space and quotes on each line, pressing enter on each line. Wait for each command to complete before entring the next one.
   
   Code:

   cd erdnt
   cd subs
   batch erdnt.con
   exit

9. Remove your Recovery Console disk. Windows should now begin loading.

Billy3

[scansdale]

Hello Bill,

Successfully followed instructions, until :

cd subs

There is no 'subs' directory below 'erdnt'. The only directory below 'erdnt' is 'hiv-backup'.

In this directory, there are several files and one is called 'erdnt.con'.

Do you want me to 'batch erdnt.con' this file ?

Cheers, Simon.

[Billy O'Neal]

Go ahead and replace cd subs with cd hiv-backup. That backup is taken earlier -- undoing more stuff.. .that's the next in line :)

Billy3

[scansdale]

Hi Bill,

Windows is now running.

I have a message saying that the Active Desktop has been turned off.

What is the next action ?

Regards, Simon.

[Billy O'Neal]

Please delete your existing copy of ComboFix, and download a fresh copy.

Try running it one more time. Please let me know if it works. If it doesn't go ahead and perform the same restore steps we already did once.

Billy3

[scansdale]

Hi Bill,

I'm away on business for a couple of days. I'll do as you ask, when I get back on Wednesday.

Thanks for your patience.

Simon

[Billy O'Neal]

No problem :)

Billy3

[scansdale]

HI Bill,

Back again.

Retraced my steps and booted up from the Operating System CD. Ran the erdnt.con batch program, which completed successfully. Clicked Exit to continue and Windows opened.

1. The Active Desktop was switched off.
2. I received a message box titled 'Data Execition Prevention', saying 'To help protect your computer Windows has closed the following Program - Windows Explorer.
3. A cmd batch window opened titled c:\be.exe, which just seemed to be a blank screen with a cursor flicking across it. This seems to slow all the processes down (like it was running the process in the foreground rather than the background).

Finally, I ran a new version of Combofix - it ran for a few seconds and then I got the Memory Core dump (blue screen). It didn't prompts me to do anything before it died.

Tried again, and had the same issue.

What do you suggest ?

Regards, Simon.

[Billy O'Neal]

Hello, scansdale
Give this a shot:

We need to execute an Avenger2 script
Note to users reading this topic! This script was created specificly for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

1. Please download The Avenger2 by SwanDog46.
2. Unzip avenger.exe to your desktop.
3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
   
   Code:

   drivers to delete:
   senekampdqvsth.sys

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
5. Read the prompt that appears, and press OK.
6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
7. Press the "Execute" button.
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
   Note: It is possible that Avenger will reboot your system TWICE.
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.

In your next reply, please include the following:

• Avenger's Log

Billy3

[scansdale]

Hi Billy,

Did as instructed, but not much to report. Here is the contents of the log file.

Regards, Simon.



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\senekampdqvsth.sys" not found!
Deletion of driver "senekampdqvsth.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

[Billy O'Neal]

Hello, scansdale
Looks like CF got the main part of the infection before failing. We do have some stuff to clean up manually however.

We need to create an OTListIt2 Report

1. Please download OTListIt2 from one of the following mirrors:
   • This is THE Mirror
2. Save it to your desktop.
3. Double click on the icon on your desktop.
4. Click the "Scan All Users" checkbox.
5. Push the button.
6. Two reports will open, copy and paste them in a reply here:
   • OTListIt.txt <-- Will be opened
   • Extra.txt <-- Will be minimized

We need to scan for Rootkits with GMER

1. Please download GMER from one of the following mirrors:
   • This is the Primary mirror
   • This is a Secondary mirror
   • This is a Secondary mirror
2. Close any and all open programs, as this process may crash your computer.
3. Unzip the downloaded file to your desktop.
4. Double click on your desktop.
5. Allow the gmer.sys driver to load if asked.
6. You may see this window. If you do, click No.
   
7. Click on and wait for the scan to finish.
8. If you see a rootkit warning window, click OK.
9. Push and save the logfile to your desktop.
10. Copy and Paste the contents of that file in your next post.

In your next reply, please include the following:

• OTListIt.txt
• Extra.txt
• GMER's Log

Billy3

[scansdale]

Hi Bill,

I did post a reply on Friday, but just realised that my post was too long, so did not go through. I will post the logs in 3 separate postings.

In addition, the active Desktop is still deactivated and the PC cannot access the internet, not sure if these are related.

Regards, Simon.


OTListIt logfile created on: 2009-03-21 09:22:07 - Run 1
OTListIt2 by OldTimer - Version 2.0.7.0 Folder = C:\Documents and Settings\Simon\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: yyyy-MM-dd

1.19 Gb Total Physical Memory | 0.62 Gb Available Physical Memory | 52.17% Memory free
1.33 Gb Paging File | 0.94 Gb Available in Paging File | 70.60% Paging File free
Paging file location(s): C:\pagefile.sys 288 1000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.20 Gb Total Space | 18.42 Gb Free Space | 35.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 124.10 Mb Total Space | 115.01 Mb Free Space | 92.68% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PLAYROOM_PC
Current User Name: Simon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2008-04-14 00:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2002-08-15 06:26:26 | 00,299,008 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE
PRC - [2002-08-15 06:26:26 | 00,174,592 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXPPS.EXE
PRC - [2005-12-15 12:14:40 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe
PRC - [2005-08-05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe
PRC - [2008-11-10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008-01-09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2008-01-25 00:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2007-08-15 11:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2007-07-24 11:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2007-07-18 14:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe
PRC - [2007-11-26 09:46:14 | 00,023,880 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\MskSrver.exe
PRC - [2006-08-23 19:12:44 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2005-08-05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe
PRC - [2007-11-01 18:12:38 | 00,582,992 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2006-08-15 09:38:14 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2002-08-15 06:26:32 | 00,886,272 | ---- | M] (Lexmark International Inc.) -- C:\WINDOWS\system32\LXSUPMON.EXE
PRC - [2004-07-27 16:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2005-09-29 14:01:14 | 00,067,584 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehtray.exe
PRC - [2005-10-05 03:12:00 | 00,094,208 | ---- | M] () -- C:\Program Files\Dell\Media Experience\DMXLauncher.exe
PRC - [2005-09-08 05:20:00 | 00,122,940 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLACTRLW.EXE
PRC - [2006-08-14 14:20:26 | 00,462,336 | ---- | M] (Corel, Inc.) -- C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
PRC - [2007-08-24 21:57:48 | 00,036,640 | ---- | M] () -- C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
PRC - [2005-08-05 13:56:28 | 00,046,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehmsas.exe
PRC - [2008-05-27 09:50:30 | 00,413,696 | ---- | M] (Apple Inc.) -- C:\Program Files\QuickTime\QTTask.exe
PRC - [2008-07-10 09:51:32 | 00,289,064 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2008-11-10 05:43:42 | 00,136,600 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2006-08-28 21:57:12 | 00,395,776 | ---- | M] (Gteko Ltd.) -- C:\Program Files\Dell Support\DSAgnt.exe
PRC - [2008-06-15 07:07:29 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2006-03-15 08:30:24 | 00,593,920 | ---- | M] (Ralink Technology, Corp.) -- C:\Program Files\RALINK\Common\RaUI.exe
PRC - [2005-04-15 15:36:24 | 00,745,472 | ---- | M] () -- C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
PRC - [2008-07-10 09:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2007-12-05 09:04:10 | 00,695,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2008-06-14 09:41:54 | 00,781,288 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\MSC\mcupdmgr.exe
PRC - [2009-03-21 08:41:00 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Simon\Desktop\OTListIt2.exe
PRC - [2007-11-07 08:35:40 | 00,378,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe
PRC - [2007-11-07 08:35:40 | 00,361,800 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe

========== Win32 Services (SafeList) ==========

SRV - [2008-07-10 08:47:18 | 00,116,040 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Auto | Stopped])
SRV - [2004-07-15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007-07-24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service [Auto | Stopped])
SRV - [2005-12-15 12:14:40 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehRecvr.exe -- (ehRecvr [Auto | Running])
SRV - [2005-08-05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\eHome\ehSched.exe -- (ehSched [Auto | Running])
SRV - [2008-08-30 09:01:08 | 00,029,744 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-061008-081103 [On_Demand | Stopped])
SRV - [2009-01-18 10:58:25 | 00,137,200 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])
SRV - [2008-04-14 00:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2008-07-10 09:51:22 | 00,532,264 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service [On_Demand | Running])
SRV - [2008-11-10 05:43:40 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2002-08-15 06:26:26 | 00,299,008 | ---- | M] (Lexmark International, Inc.) -- C:\WINDOWS\system32\LEXBCES.EXE -- (LexBceS [Auto | Running])
SRV - [2008-01-09 15:50:22 | 00,767,976 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2008-01-25 00:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
SRV - [2007-11-07 08:35:40 | 00,378,184 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Running])
SRV - [2007-08-15 11:36:04 | 00,359,248 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2005-08-05 13:27:08 | 00,099,328 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\mcrdsvc.exe -- (McrdSvc [Auto | Running])
SRV - [2007-07-24 11:02:14 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
SRV - [2007-12-05 09:04:10 | 00,695,624 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
SRV - [2004-08-10 04:11:50 | 00,085,504 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mhn.dll -- (MHN [On_Demand | Stopped])
SRV - [2007-07-18 14:54:42 | 00,856,864 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2007-11-26 09:46:14 | 00,023,880 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service [Auto | Running])
SRV - [2006-08-23 19:12:44 | 00,155,715 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2005-08-04 01:05:55 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [On_Demand | Stopped])
SRV - [2007-10-18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2007-10-25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2008-08-13 19:17:39 | 00,020,747 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2001-08-17 13:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Disabled | Stopped])
DRV - [2008-04-13 18:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Disabled | Stopped])
DRV - [2006-06-19 04:37:34 | 00,036,864 | ---- | M] (Advanced Micro Devices) -- C:\WINDOWS\system32\DRIVERS\AmdK8.sys -- (AmdK8 [System | Stopped])
DRV - [2001-08-17 13:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Disabled | Stopped])
DRV - [2001-08-17 13:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Disabled | Stopped])
DRV - [2006-08-14 13:29:44 | 00,044,544 | ---- | M] (Broadcom Corporation) -- C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys -- (bcm4sbxp [On_Demand | Running])
DRV - [2001-08-17 13:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Disabled | Stopped])
DRV - [2001-08-17 13:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Disabled | Stopped])
DRV - [2005-09-08 05:20:00 | 00,025,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLABOIOM.SYS -- (DLABOIOM [Auto | Running])
DRV - [2005-08-25 12:16:52 | 00,005,628 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DLACDBHM.SYS -- (DLACDBHM [System | Running])
DRV - [2005-09-08 05:20:00 | 00,002,496 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLADResN.SYS -- (DLADResN [Auto | Running])
DRV - [2005-09-08 05:20:00 | 00,086,524 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAIFS_M.SYS -- (DLAIFS_M [Auto | Running])
DRV - [2005-09-08 05:20:00 | 00,014,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAOPIOM.SYS -- (DLAOPIOM [Auto | Running])
DRV - [2005-09-08 05:20:00 | 00,006,364 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAPoolM.SYS -- (DLAPoolM [Auto | Running])
DRV - [2005-08-25 12:16:16 | 00,022,684 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DLARTL_N.SYS -- (DLARTL_N [System | Running])
DRV - [2005-09-08 05:20:00 | 00,094,332 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAUDFAM.SYS -- (DLAUDFAM [Auto | Running])
DRV - [2005-09-08 05:20:00 | 00,087,036 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\DLA\DLAUDF_M.SYS -- (DLAUDF_M [Auto | Running])
DRV - [2005-09-12 03:30:00 | 00,089,264 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVMCDB.SYS -- (DRVMCDB [Boot | Running])
DRV - [2005-08-12 05:20:00 | 00,040,544 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\DRVNDDM.SYS -- (DRVNDDM [Auto | Running])
DRV - [2006-01-10 11:07:58 | 00,004,864 | ---- | M] (GTek Technologies Ltd.) -- C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys -- (DSproct [On_Demand | Stopped])
DRV - [2001-08-17 12:12:10 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\e100b325.sys -- (E100B [On_Demand | Stopped])
DRV - [2005-04-01 10:42:20 | 00,066,048 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\system32\DRIVERS\EAPPkt.sys -- (EAPPkt [Auto | Running])
DRV - [2008-01-29 11:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
DRV - [2008-04-13 16:36:05 | 00,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2007-11-22 05:44:08 | 00,079,304 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2007-11-22 05:44:08 | 00,035,240 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2007-11-22 05:44:08 | 00,201,320 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2007-11-22 05:44:04 | 00,033,832 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Running])
DRV - [2007-12-02 11:51:42 | 00,040,488 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
DRV - [2007-07-13 05:20:24 | 00,113,952 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2001-08-17 13:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Disabled | Stopped])
DRV - [2006-08-23 19:12:38 | 03,959,712 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2004-08-10 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2005-01-26 02:03:00 | 00,020,576 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2001-08-17 13:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Disabled | Stopped])
DRV - [2001-08-17 13:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Disabled | Stopped])
DRV - [2001-08-17 13:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Disabled | Stopped])
DRV - [2006-03-08 16:28:00 | 00,255,232 | ---- | M] (Ralink Technology, Corp.) -- C:\WINDOWS\system32\DRIVERS\rt73.sys -- (RT73 [On_Demand | Running])
DRV - [2005-04-21 13:33:12 | 00,112,384 | ---- | M] (NETGEAR Inc.) -- C:\WINDOWS\system32\DRIVERS\wg111v2.sys -- (RTLWUSB [On_Demand | Stopped])
DRV - [2007-11-13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [Auto | Running])
DRV - [2006-07-05 12:39:29 | 00,059,256 | ---- | M] (Protection Technology (StarForce)) -- C:\WINDOWS\System32\drivers\sfdrv01.sys -- (sfdrv01 [Boot | Running])
DRV - [2006-06-14 14:56:56 | 00,013,680 | ---- | M] (Protection Technology (StarForce)) -- C:\WINDOWS\System32\drivers\sfhlp02.sys -- (sfhlp02 [Boot | Running])
DRV - [2006-07-10 16:19:58 | 00,027,032 | ---- | M] (Protection Technology) -- C:\WINDOWS\System32\drivers\sfsync02.sys -- (sfsync02 [Boot | Running])
DRV - [2007-01-12 18:09:53 | 00,082,296 | ---- | M] (Protection Technology (StarForce)) -- C:\WINDOWS\System32\drivers\sfvfs02.sys -- (sfvfs02 [Boot | Running])
DRV - [2008-04-13 18:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Disabled | Stopped])
DRV - [2002-10-02 08:57:12 | 00,013,532 | ---- | M] (Windows (R) 2000 DDK provider) -- C:\WINDOWS\System32\Drivers\SjyPkt.sys -- (SjyPkt [On_Demand | Stopped])
DRV - [2001-08-17 14:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Disabled | Stopped])
DRV - [2006-08-15 09:38:14 | 01,171,464 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA [On_Demand | Running])
DRV - [2001-08-17 14:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Disabled | Stopped])
DRV - [2001-08-17 14:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Disabled | Stopped])
DRV - [2001-08-17 14:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Disabled | Stopped])
DRV - [2001-08-17 14:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Disabled | Stopped])
DRV - [2001-08-17 13:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Disabled | Stopped])
DRV - [2008-07-10 08:35:22 | 00,032,000 | ---- | M] (Apple, Inc.) -- C:\WINDOWS\System32\Drivers\usbaapl.sys -- (USBAAPL [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=5070124
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=5070124


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=5070124
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...=ie&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=5070124
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir...=ie&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local



IE - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - URLSearchHook: {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll File not found
IE - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\S-1-5-21-3392501505-471593205-1300404183-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\S-1-5-21-3392501505-471593205-1300404183-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {1650a312-02bc-40ee-977e-83f158701739}:26.6
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.1

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD [2008-06-13 09:52:36 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2008-11-01 13:19:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2009-03-10 19:35:42 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2009-01-21 21:45:51 | 00,000,000 | ---D | M]

[2008-07-07 18:09:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Simon\Application Data\mozilla\Extensions
[2008-07-07 18:09:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Simon\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008-07-07 18:09:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Simon\Application Data\mozilla\Firefox\Profiles\vlsmelgi.default\extensions
[2009-01-02 10:09:03 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2008-08-13 22:21:55 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008-11-01 13:20:08 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
[2009-01-02 10:02:30 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2008-08-13 22:21:54 | 00,023,040 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2008-08-13 22:21:54 | 00,134,144 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008-01-04 15:36:50 | 00,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2006-07-05 18:47:38 | 00,002,193 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\answers.xml
[2008-01-04 15:36:50 | 00,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2008-03-08 09:35:22 | 00,001,534 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
[2008-01-04 15:36:50 | 00,001,077 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2008-04-16 04:08:20 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008-08-30 09:01:08 | 00,000,686 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\GoogleDesktopMozilla.png
[2008-08-30 09:01:08 | 00,000,531 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\GoogleDesktopMozilla.src
[2008-03-28 18:11:14 | 00,001,178 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia.xml
[2008-01-04 15:36:50 | 00,000,831 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll ()
O2 - BHO: (SWEETIE Class) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll File not found
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (McAfee Phishing Filter) - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\Program Files\McAfee\MSK\mcapbho.dll ()
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL (Sonic Solutions)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll (Google Inc.)
O2 - BHO: (Windows Live Toolbar Helper) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll ()
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (SweetIM For Internet Explorer) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll File not found
O3 - HKLM\..\Toolbar: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..\Toolbar\WebBrowser: (no name) - {BC4FFE41-DE9F-46FA-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll File not found
O3 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..\Toolbar\WebBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll (Microsoft Corporation)
O4 - HKLM..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe (Apple Inc.)
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe (Corel, Inc.)
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE (Sonic Solutions)
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe ()
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup (Google)
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k File not found
O4 - HKLM..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN (Lexmark International Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey (McAfee, Inc.)
O4 - HKLM..\Run: [Microsoft Update] KAV64.EXE File not found
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] nwiz.exe /install ()
O4 - HKLM..\Run: [One view global this] C:\Documents and Settings\All Users\Application Data\MPEG ELSE ONE VIEW\Idle amok.exe File not found
O4 - HKLM..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe ()
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (Gteko Ltd.)
O4 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005..\Run: [Plus Atom] C:\DOCUME~1\Simon\APPLIC~1\PARTJU~1\mapidaleshim.exe File not found
O4 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe (Ralink Technology, Corp.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WG111v2 Smart Wizard Wireless Setting.lnk = C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoControlPanel = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm035YYGB
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: //@install.mar@/ ([]msni in My Computer)
O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: //@mail.mar@/ ([]msni in Local intranet)
O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: mcafee.com ([]https in Trusted sites)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/noc...tup1.0.1.1.cab (Reg Error: Key error.)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary...r.cab56986.cab (Checkers Class)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/s...irector/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} http://acs.pandasoftware.com/actives.../as2stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/sh...1/mcinsctl.cab (McAfee.com Operating System Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary...n.cab56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab (UnoCtrl Class)
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} http://www.nvidia.com/content/Driver...sysreqlab2.cab (System Requirements Lab Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary...t.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jin...ndows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/get...nt/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\siteadvisor {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe ()
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005-08-16 04:43:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{2d3c9e99-aebc-11db-b88e-00173f1448e6}\Shell\AutoRun\command - "" = E:\setupSNK.exe -- File not found
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun\command - "" = E:\setup.exe -- File not found
O33 - MountPoints2\{7faf34d3-aeb6-11db-b88d-806d6172696f}\Shell\AutoRun\command - "" = F:\setupSNK.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found

========== Files/Folders - Created Within 30 Days ==========

[4 C:\*.tmp files]
[1 C:\WINDOWS\System32\*.tmp files]
[2009-03-21 08:58:10 | 00,114,920 | ---- | C] () -- C:\Documents and Settings\Simon\Desktop\OTListIt.old
[2009-03-21 08:56:41 | 00,277,944 | ---- | C] () -- C:\Documents and Settings\Simon\Desktop\gmer.zip
[2009-03-21 08:56:37 | 00,499,200 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Simon\Desktop\OTListIt2.exe
[2009-03-19 19:46:04 | 00,000,458 | ---- | C] () -- C:\WINDOWS\System32\win32hlp.cnf
[2009-03-19 19:32:40 | 00,000,000 | ---D | C] -- C:\Avenger
[2009-03-19 19:30:02 | 00,135,168 | ---- | C] () -- C:\zip.exe
[2009-03-19 19:30:02 | 00,019,286 | ---- | C] () -- C:\cleanup.exe
[2009-03-19 19:30:02 | 00,000,574 | ---- | C] () -- C:\cleanup.bat
[2009-03-18 21:26:24 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009-03-18 21:26:23 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF14129.exe
[2009-03-18 21:18:20 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF11327.exe
[2009-03-18 21:00:17 | 00,001,516 | ---- | C] () -- C:\br.exe
[2009-03-16 12:56:40 | 00,099,840 | ---- | C] (Microsoft Corporation) -- C:\giff.exe
[2009-03-16 10:45:39 | 00,091,698 | RHS- | C] (RGE) -- C:\WINDOWS\System\service.exe
[2009-03-16 07:24:18 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF5710.exe
[2009-03-14 10:46:40 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009-03-14 10:46:40 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009-03-14 10:46:40 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009-03-14 10:46:40 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009-03-14 10:46:40 | 00,089,504 | ---- | C] (Smallfrogs Studio) -- C:\WINDOWS\fdsv.exe
[2009-03-14 10:46:40 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009-03-14 10:46:40 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009-03-14 10:46:40 | 00,049,152 | ---- | C] () -- C:\WINDOWS\VFIND.exe
[2009-03-14 10:46:40 | 00,029,696 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009-03-14 10:45:29 | 00,389,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\CF5157.exe
[2009-03-13 18:24:49 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt19.sqm
[2009-03-13 18:24:49 | 00,000,232 | -H-- | C] () -- C:\sqmdata19.sqm
[2009-03-13 18:22:35 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt18.sqm
[2009-03-13 18:22:35 | 00,000,232 | -H-- | C] () -- C:\sqmdata18.sqm
[2009-03-13 18:22:04 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt17.sqm
[2009-03-13 18:22:04 | 00,000,232 | -H-- | C] () -- C:\sqmdata17.sqm
[2009-03-13 18:20:34 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt16.sqm
[2009-03-13 18:20:34 | 00,000,232 | -H-- | C] () -- C:\sqmdata16.sqm
[2009-03-13 18:17:18 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt15.sqm
[2009-03-13 18:17:18 | 00,000,232 | -H-- | C] () -- C:\sqmdata15.sqm
[2009-03-13 18:12:09 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt14.sqm
[2009-03-13 18:12:09 | 00,000,232 | -H-- | C] () -- C:\sqmdata14.sqm
[2009-03-13 18:07:05 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt13.sqm
[2009-03-13 18:07:05 | 00,000,232 | -H-- | C] () -- C:\sqmdata13.sqm
[2009-03-13 18:02:04 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt12.sqm
[2009-03-13 18:02:04 | 00,000,232 | -H-- | C] () -- C:\sqmdata12.sqm
[2009-03-13 17:57:12 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt11.sqm
[2009-03-13 17:57:12 | 00,000,232 | -H-- | C] () -- C:\sqmdata11.sqm
[2009-03-13 17:52:04 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt10.sqm
[2009-03-13 17:52:04 | 00,000,232 | -H-- | C] () -- C:\sqmdata10.sqm
[2009-03-13 17:47:07 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt09.sqm
[2009-03-13 17:47:07 | 00,000,232 | -H-- | C] () -- C:\sqmdata09.sqm
[2009-03-13 17:45:17 | 00,000,232 | -H-- | C] () -- C:\sqmdata08.sqm
[2009-03-13 17:45:16 | 00,000,244 | -H-- | C] () -- C:\sqmnoopt08.sqm
[2009-03-13 17:41:54 | 00,000,292 | ---- | C] () -- C:\WINDOWS\System32\senekalog.dat
[2009-03-13 13:45:48 | 00,000,275 | ---- | C] () -- C:\dkn.exe
[2009-03-12 21:49:13 | 00,000,000 | RHSD | C] -- C:\RESTORE
[2009-03-12 21:49:09 | 00,044,082 | ---- | C] (RGE) -- C:\niggor.exe
[2009-03-11 08:37:29 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\kazaabackupfiles
[2009-03-10 20:52:44 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\drivers\seneka.sys
[2009-03-10 19:30:55 | 00,004,785 | ---- | C] () -- C:\WINDOWS\System32\warning.gif
[2009-03-10 19:30:43 | 00,104,960 | ---- | C] () -- C:\WINDOWS\System32\dllcache\userinit.exe
[2009-03-10 19:30:30 | 00,000,722 | ---- | C] () -- C:\WINDOWS\System32\test.ttt
[2009-03-10 19:30:30 | 00,000,001 | ---- | C] () -- C:\WINDOWS\System32\uniq.tll
[2009-03-07 17:45:26 | 00,000,088 | RHS- | C] () -- C:\WINDOWS\System32\41B807F0D2.sys
[2009-03-05 22:24:46 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\microsoft

========== Files - Modified Within 30 Days ==========

[4 C:\*.tmp files]
[1 C:\WINDOWS\System32\*.tmp files]
[1 C:\WINDOWS\*.tmp files]
[2009-03-21 09:12:31 | 00,000,254 | ---- | M] () -- C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
[2009-03-21 09:00:01 | 00,000,264 | -H-- | M] () -- C:\WINDOWS\tasks\B2947A78906BF964.job
[2009-03-21 08:58:10 | 00,114,920 | ---- | M] () -- C:\Documents and Settings\Simon\Desktop\OTListIt.old
[2009-03-21 08:49:47 | 00,025,554 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009-03-21 08:44:01 | 00,081,191 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009-03-21 08:43:37 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009-03-21 08:43:36 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009-03-21 08:43:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009-03-21 08:43:32 | 12,734,83264 | -HS- | M] () -- C:\hiberfil.sys
[2009-03-21 08:41:26 | 00,277,944 | ---- | M] () -- C:\Documents and Settings\Simon\Desktop\gmer.zip
[2009-03-21 08:41:00 | 00,499,200 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Simon\Desktop\OTListIt2.exe
[2009-03-19 22:42:39 | 02,535,524 | -H-- | M] () -- C:\Documents and Settings\Simon\Local Settings\Application Data\IconCache.db
[2009-03-19 20:23:17 | 00,135,168 | ---- | M] () -- C:\zip.exe
[2009-03-19 20:23:17 | 00,019,286 | ---- | M] () -- C:\cleanup.exe
[2009-03-19 20:23:17 | 00,000,574 | ---- | M] () -- C:\cleanup.bat
[2009-03-19 20:16:41 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2009-03-19 20:16:41 | 00,000,232 | -H-- | M] () -- C:\sqmdata19.sqm
[2009-03-19 20:12:58 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2009-03-19 20:12:58 | 00,000,232 | -H-- | M] () -- C:\sqmdata18.sqm
[2009-03-19 20:10:28 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2009-03-19 20:10:28 | 00,000,232 | -H-- | M] () -- C:\sqmdata17.sqm
[2009-03-19 20:07:08 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2009-03-19 20:07:08 | 00,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2009-03-19 20:03:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2009-03-19 20:03:48 | 00,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[2009-03-19 20:00:27 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt14.sqm
[2009-03-19 20:00:27 | 00,000,232 | -H-- | M] () -- C:\sqmdata14.sqm
[2009-03-19 19:57:08 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt13.sqm
[2009-03-19 19:57:08 | 00,000,232 | -H-- | M] () -- C:\sqmdata13.sqm
[2009-03-19 19:53:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt12.sqm
[2009-03-19 19:53:48 | 00,000,232 | -H-- | M] () -- C:\sqmdata12.sqm
[2009-03-19 19:50:28 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt11.sqm
[2009-03-19 19:50:28 | 00,000,232 | -H-- | M] () -- C:\sqmdata11.sqm
[2009-03-19 19:47:17 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt10.sqm
[2009-03-19 19:47:17 | 00,000,232 | -H-- | M] () -- C:\sqmdata10.sqm
[2009-03-19 19:46:04 | 00,000,458 | ---- | M] () -- C:\WINDOWS\System32\win32hlp.cnf
[2009-03-19 19:43:48 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt09.sqm
[2009-03-19 19:43:48 | 00,000,232 | -H-- | M] () -- C:\sqmdata09.sqm
[2009-03-19 19:40:31 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt08.sqm
[2009-03-19 19:40:31 | 00,000,232 | -H-- | M] () -- C:\sqmdata08.sqm
[2009-03-19 19:37:07 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt07.sqm
[2009-03-19 19:37:07 | 00,000,232 | -H-- | M] () -- C:\sqmdata07.sqm
[2009-03-19 19:35:33 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt06.sqm
[2009-03-19 19:35:33 | 00,000,232 | -H-- | M] () -- C:\sqmdata06.sqm
[2009-03-19 19:30:22 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt05.sqm
[2009-03-19 19:30:22 | 00,000,232 | -H-- | M] () -- C:\sqmdata05.sqm
[2009-03-19 19:29:14 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt04.sqm
[2009-03-19 19:29:14 | 00,000,232 | -H-- | M] () -- C:\sqmdata04.sqm
[2009-03-18 21:26:18 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF14129.exe
[2009-03-18 21:25:45 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt03.sqm
[2009-03-18 21:25:45 | 00,000,232 | -H-- | M] () -- C:\sqmdata03.sqm
[2009-03-18 21:24:23 | 00,001,516 | ---- | M] () -- C:\br.exe
[2009-03-18 21:12:07 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt02.sqm
[2009-03-18 21:12:07 | 00,000,232 | -H-- | M] () -- C:\sqmdata02.sqm
[2009-03-18 21:11:58 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF11327.exe
[2009-03-18 21:08:52 | 00,000,232 | -H-- | M] () -- C:\sqmdata01.sqm
[2009-03-18 21:08:51 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt01.sqm
[2009-03-18 20:50:33 | 00,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2009-03-18 20:50:33 | 00,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
[2009-03-16 12:56:41 | 00,099,840 | ---- | M] (Microsoft Corporation) -- C:\giff.exe
[2009-03-16 10:45:39 | 00,091,698 | RHS- | M] (RGE) -- C:\WINDOWS\System\service.exe
[2009-03-16 07:24:01 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF5710.exe
[2009-03-14 10:45:25 | 00,389,120 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\CF5157.exe
[2009-03-13 17:41:54 | 00,000,292 | ---- | M] () -- C:\WINDOWS\System32\senekalog.dat
[2009-03-13 15:13:44 | 00,000,275 | ---- | M] () -- C:\dkn.exe
[2009-03-12 22:10:33 | 00,044,082 | ---- | M] (RGE) -- C:\niggor.exe
[2009-03-11 08:36:11 | 00,004,785 | ---- | M] () -- C:\WINDOWS\System32\warning.gif
[2009-03-10 20:55:10 | 00,244,720 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009-03-10 20:52:44 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\drivers\seneka.sys
[2009-03-10 20:52:08 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009-03-10 19:30:34 | 00,104,960 | ---- | M] () -- C:\WINDOWS\System32\userinit.exe
[2009-03-10 19:30:34 | 00,104,960 | ---- | M] () -- C:\WINDOWS\System32\dllcache\userinit.exe
[2009-03-10 19:30:30 | 00,000,722 | ---- | M] () -- C:\WINDOWS\System32\test.ttt
[2009-03-10 19:30:30 | 00,000,001 | ---- | M] () -- C:\WINDOWS\System32\uniq.tll
[2009-03-10 18:07:45 | 00,000,571 | ---- | M] () -- C:\Documents and Settings\Simon\My Documents\My Sharing Folders.lnk
[2009-03-09 20:04:19 | 00,010,510 | ---- | M] () -- C:\Documents and Settings\Simon\Application Data\wklnhst.dat
[2009-03-07 17:46:01 | 00,005,642 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009-03-07 17:45:29 | 00,000,088 | RHS- | M] () -- C:\WINDOWS\System32\41B807F0D2.sys
[2009-03-07 16:54:09 | 00,002,137 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009-03-03 19:56:22 | 00,002,205 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Riding Star.lnk
[2009-03-03 18:02:25 | 00,002,193 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Equestriad 2001.lnk
[2009-02-23 16:34:31 | 00,017,920 | ---- | M] () -- C:\Documents and Settings\Simon\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
< End of report >

[scansdale]

Extras.txt
=======

OTListIt Extras logfile created on: 2009-03-21 09:22:07 - Run 1
OTListIt2 by OldTimer - Version 2.0.7.0 Folder = C:\Documents and Settings\Simon\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: yyyy-MM-dd

1.19 Gb Total Physical Memory | 0.62 Gb Available Physical Memory | 52.17% Memory free
1.33 Gb Paging File | 0.94 Gb Available in Paging File | 70.60% Paging File free
Paging file location(s): C:\pagefile.sys 288 1000;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 51.20 Gb Total Space | 18.42 Gb Free Space | 35.97% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 124.10 Mb Total Space | 115.01 Mb Free Space | 92.68% Space Free | Partition Type: FAT
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PLAYROOM_PC
Current User Name: Simon
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DisableNotifications" = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
File not found -- C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
File not found -- C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
File not found -- C:\Program Files\AOL 9.0\waol.exe:*:Enabled:AOL
[2008-04-13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2007-10-18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007-10-02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2008-04-13 18:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
[2008-04-14 00:12:28 | 01,695,232 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
[2007-07-24 14:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008-01-25 00:38:12 | 02,458,128 | ---- | M] (McAfee, Inc.) -- C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent
[2008-07-10 09:51:26 | 20,246,824 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes
[2007-10-18 11:34:02 | 05,724,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[2007-10-02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{075473F5-846A-448B-BCB3-104AA1760205}" = Roxio RecordNow Data
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Roxio DLA
"{1D3C662A-F6C6-4767-A788-7AA43A9A1317}" = ARTEuro
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java(TM) 6 Update 11
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Sonic Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150060}" = J2SE Runtime Environment 5.0 Update 6
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35B91753-5789-4517-9CF1-2CCE3A8CF4F1}" = Apple Mobile Device Support
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{43CAC9A1-1993-4F65-9096-7C9AFC2BBF54}" = Dell CinePlayer
"{4462317C-2301-48E3-BD64-614215453DDA}" = Harry Potter Print Studio
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{5B6BE547-21E2-49CA-B2E2-6A5F470593B1}" = Sonic Activation Module
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7745B7A9-F323-4BB9-9811-01BF57A028DA}" = Map Button (Windows Live Toolbar)
"{77DD04FF-26B2-4918-968E-8A1F4D61D33B}" = Equestriad 2001
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7ADE3A47-B425-45E9-8FF6-11BE2B775645}" = Corel Snapfire Plus
"{93A1B09E-BAFA-4628-A5B6-921CB026955A}" = Corel Paint Shop Pro Photo XI
"{9422C8EA-B0C6-4197-B8FC-DC797658CA00}" = Windows Live Sign-in Assistant
"{9941F0AA-B903-4AF4-A055-83A9815CC011}" = Sonic Encoders
"{9C244239-ED8E-40f1-937F-51C706CD2160}" = The Sims™ 2 Deluxe
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{AB708C9B-97C8-4AC9-899B-DBF226AC9382}" = Roxio RecordNow Audio
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B12665F4-4E93-4AB4-B7FC-37053B524629}" = Roxio RecordNow Copy
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CEE2252C-4035-4B27-8EC6-0B085DD3A413}" = Dell Support 3.2.1
"{D2988E9B-C73F-422C-AD4B-A66EBE257120}" = MCU
"{D5A145FC-D00C-4F1A-9119-EB4D9D659750}" = Windows Live Toolbar
"{E0F252A6-DE85-4E93-A93B-DFC3537B3965}" = WG111v2 Configuration Utility
"{E91E8912-769D-42F0-8408-0E329443BABC}" = Ralink Wireless LAN Card
"{ED57BD71-9D32-4954-8B82-22E68DAAEAFE}" = Riding Star
"{EF5A6DD8-4A03-4BDD-A7C3-5CA2FF02DCFA}" = Pippa Funnell
"{EF6C4600-306D-4F6A-A119-C2A877D25B4A}" = iTunes
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{FB64BF25-3593-4E4E-AA85-84AEF1D1475F}" = Broadcom Management Programs
"12133444-BF36-4d4e-B7FB-A3424C645DE4" = GemMaster Mystic
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adventure Rock_is1" = Adventure Rock 1.0
"B3EE3001-DC24-4cd1-8743-5692C716659F" = Otto
"Chuzzle Deluxe 1.01" = Chuzzle Deluxe 1.01
"EmeraldQFE2" = Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
"Encarta96" = Microsoft Encarta 96 Encyclopedia
"Feeding Frenzy 2 Deluxe 1.0" = Feeding Frenzy 2 Deluxe 1.0
"Google Desktop" = Google Desktop
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"Lexmark Supplies Monitor" = Lexmark Supplies Monitor
"Lexmark Z45" = Lexmark Z45
"LiveUpdate" = LiveUpdate 2.6 (Symantec Corporation)
"McAfee Uninstall Utility" = McAfee Uninstaller
"Messenger Plus! Live" = Messenger Plus! Live & Sponsor (CiD)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Mozilla Firefox (3.0.1)" = Mozilla Firefox (3.0.1)
"MSC" = McAfee SecurityCenter
"MSNINST" = MSN
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"Norton PC Checkup" = Norton PC Checkup
"NVIDIA Drivers" = NVIDIA Drivers
"Peggle Deluxe 1.01" = Peggle Deluxe 1.01
"Pippa Funnell 2 - Take The Reins" = Pippa Funnell 2 - Take The Reins
"RealPlayer 6.0" = RealPlayer
"SearchAssist" = SearchAssist
"ShockwaveFlash" = Adobe Flash Player 9 ActiveX
"StreetPlugin" = Learn2 Player (Uninstall Only)
"SystemRequirementsLab" = System Requirements Lab
"Windows Live Toolbar" = Windows Live Toolbar
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows XP Service Pack" = Windows XP Service Pack 3
"Zylom Games Player Plugin" = Zylom Games Player Plugin

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 2009-03-21 05:12:00 | Computer Name = PLAYROOM_PC | Source = Service Control Manager | ID = 7023
Description = The Automatic Updates service terminated with the following error:
%%2147952506

Error - 2009-03-21 05:12:30 | Computer Name = PLAYROOM_PC | Source = DCOM | ID = 10010
Description = The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register
with DCOM within the required timeout.


< End of report >

[scansdale]

GMER.log
=======


GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-21 11:12:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB67949AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB6794958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB679496C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB67949EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB6794930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB6794944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB67949BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB6794996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB6794982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB6794A19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB6794A00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB67949D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 8050223C 7 Bytes JMP B67949D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8056E2FC 5 Bytes JMP B67949AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805A7500 7 Bytes JMP B67949EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805A8316 5 Bytes JMP B6794A04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805ADA94 7 Bytes JMP B67949C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805C1322 5 Bytes JMP B6794934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805C15AE 5 Bytes JMP B6794948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805C3DE0 5 Bytes JMP B6794986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C73F6 7 Bytes JMP B6794970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805C74AC 5 Bytes JMP B679495C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805C79B6 5 Bytes JMP B679499A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805C8CB6 5 Bytes JMP B6794A1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[440] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[440] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070FA1
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070076
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F7C
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 000700CE
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070104
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070F61
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00070F50
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 000700A7
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0007001B
.text C:\WINDOWS\system32\services.exe[832] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 000700DF
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0006002F
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00060FE5
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00060FB2
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00060000
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [26, 88]
.text C:\WINDOWS\system32\services.exe[832] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0006004A
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050055
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050FCA
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00050044
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0005000C
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\services.exe[832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0005001D
.text C:\WINDOWS\system32\services.exe[832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA0F8D
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0078
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F9E
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA004A
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00AE
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA009D
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA00C9
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA0F30
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BA0F0B
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BA005B
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BA0F72
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\lsass.exe[844] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BA0F4B
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B90FB9
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B90F68
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B9000A
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B90F83
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B90025
.text C:\WINDOWS\system32\lsass.exe[844] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B90F9E
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B8005F
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B80044
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80022
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80033
.text C:\WINDOWS\system32\lsass.exe[844] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\lsass.exe[844] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F29
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A001E
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F61
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0F97
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0040
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F04
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A006C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A005B
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0EB8
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0F7C
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A002F
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FB2
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\system32\svchost.exe[960] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0EDD
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290025
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290F83
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00290FCA
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0029000A
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290F9E
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FAF
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [49, 88]
.text C:\WINDOWS\system32\svchost.exe[960] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290036
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0038
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0027
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FC8
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FB7
.text C:\WINDOWS\system32\svchost.exe[960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FE3
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FE5
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50F4B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F50F5C
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F6D
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50036
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F5001B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50093
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50078
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500BF
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50F30
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F50F0B
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F50F94
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F50FD4
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F50051
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F50FB9
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F5000A
.text C:\WINDOWS\system32\svchost.exe[1044] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F500AE
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F40FD4
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F40076
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F40025
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F40FAF
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F40FEF
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00F40051
.text C:\WINDOWS\system32\svchost.exe[1044] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F40040
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F30F95
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F30FA6
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F30016
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F30FC1
.text C:\WINDOWS\system32\svchost.exe[1044] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F30FD2
.text C:\WINDOWS\system32\svchost.exe[1044] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F20FEF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C90065
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C90F7A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C90F8B
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C90FA8
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C90039
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C90F27
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C90F38
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C900CA
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C900A5
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C900DB
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C9004A
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C90FEF
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C90F55
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C90FC3
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C90FDE
.text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C9008A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C80FC0
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C80F8A
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C80011
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C80F9B
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C8003D
.text C:\WINDOWS\system32\svchost.exe[1108] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C80022
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C70016
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C70F95
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C70FB7
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C70FA6
.text C:\WINDOWS\system32\svchost.exe[1108] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C70FD2
.text C:\WINDOWS\system32\svchost.exe[1108] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02A00FEF
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02A00F83
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02A00082
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02A0005B
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02A0004A
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02A00FAF
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02A00F50
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02A00F61
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02A00F09
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02A00F1A
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02A00EF8
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02A00F9E
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 02A00FD4
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02A00F72
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02A0001B
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 02A00000
.text C:\WINDOWS\system32\svchost.exe[1152] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02A00F35
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 029E0FD1
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 029E0073
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 029E0022
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 029E0011
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 029E0058
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 029E0000
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 029E0FB6
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [BE, 8A]
.text C:\WINDOWS\system32\svchost.exe[1152] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 029E0047
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 029D0F75
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!system 77C293C7 5 Bytes JMP 029D0000
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 029D0FAB
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_open 77C2F566 5 Bytes JMP 029D0FE3
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 029D0F9A
.text C:\WINDOWS\system32\svchost.exe[1152] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 029D0FC6
.text C:\WINDOWS\system32\svchost.exe[1152] WS2_32.dll!socket 71AB4211 5 Bytes JMP 029C0000
.text C:\WINDOWS\system32\svchost.exe[1152] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 029F0FE5
.text C:\WINDOWS\system32\svchost.exe[1152] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 029F0000
.text C:\WINDOWS\system32\svchost.exe[1152] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 029F0FD4
.text C:\WINDOWS\system32\svchost.exe[1152] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 029F002F
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B1000A
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B1008C
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B10071
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10056
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10F97
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B10FA8
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B100DF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B100B8
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10101
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B10F68
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00B10126
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00B1002F
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00B1009D
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00B10FC3
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00B10FD4
.text C:\WINDOWS\system32\svchost.exe[1280] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00B100F0
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B0006C
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B00FDB
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B0001B
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B00FAF
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B00047
.text C:\WINDOWS\system32\svchost.exe[1280] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B00FCA
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0FC8
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0FD9
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF002E
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF0049
.text C:\WINDOWS\system32\svchost.exe[1280] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0011
.text C:\WINDOWS\system32\svchost.exe[1280] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009C0FE5
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009C0091
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009C0076
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009C0065
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009C0054
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009C0FC3
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009C00C9
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009C00AC
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009C0F41
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009C00E4
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 009C0F30
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 009C0FB2
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 009C0000
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 009C0F81
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 009C0FD4
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 009C001B
.text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 009C0F66
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 009B0025
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 009B0F83
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 009B0014
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 009B0FDE
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 009B0F94
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 009B0036
.text C:\WINDOWS\system32\svchost.exe[1436] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 009B0FB9
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009A0FD4
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!system 77C293C7 5 Bytes JMP 009A005F
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009A003A
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009A000C
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009A0FE5
.text C:\WINDOWS\system32\svchost.exe[1436] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009A001D
.text C:\WINDOWS\system32\svchost.exe[1436] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00990000
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014B0000
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014B0047
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014B0036
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014B0F68
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014B0F79
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014B0FAF
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014B0062
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014B0F26
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014B0EDD
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014B0EEE
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 014B0EC2
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 014B0F94
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 014B0FE5
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 014B0F41
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 014B0FCA
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 014B001B
.text C:\WINDOWS\Explorer.EXE[1524] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 014B0EFF
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01400040
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01400F97
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01400025
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01400FEF
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01400FA8
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01400000
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 01400FB9
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [60, 89]
.text C:\WINDOWS\Explorer.EXE[1524] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 01400FD4
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 013F0F81
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!system 77C293C7 5 Bytes JMP 013F0FA6
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 013F0FC1
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_open 77C2F566 5 Bytes JMP 013F0FE3
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 013F000C
.text C:\WINDOWS\Explorer.EXE[1524] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 013F0FD2
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 014A0000
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 014A0FEF
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 014A001B
.text C:\WINDOWS\Explorer.EXE[1524] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 014A002C
.text C:\WINDOWS\Explorer.EXE[1524] ws2_32.dll!socket 71AB4211 5 Bytes JMP 02170FE5
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C00FEF
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C00F7F
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C00F9A
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C00068
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C00FAB
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C00FCD
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C00F38
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C00F49
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C00EE7
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C00EF8
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C0009B
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C00FBC
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C00F5A
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C0002F
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C00FDE
.text C:\WINDOWS\system32\dllhost.exe[2536] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C00F13
.text C:\WINDOWS\system32\dllhost.exe[2536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BE0036
.text C:\WINDOWS\system32\dllhost.exe[2536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BE0FAB
.text C:\WINDOWS\system32\dllhost.exe[2536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BE0FBC
.text C:\WINDOWS\system32\dllhost.exe[2536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BE0000
.text C:\WINDOWS\system32\dllhost.exe[2536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BE001B
.text C:\WINDOWS\system32\dllhost.exe[2536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BE0FD7
.text C:\WINDOWS\system32\dllhost.exe[2536] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BF0036
.text C:\WINDOWS\system32\dllhost.exe[2536] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BF0FA5
.text C:\WINDOWS\system32\dllhost.exe[2536] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BF0025
.text C:\WINDOWS\system32\dllhost.exe[2536] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BF0FEF
.text C:\WINDOWS\system32\dllhost.exe[2536] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BF0FC0
.text C:\WINDOWS\system32\dllhost.exe[2536] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\dllhost.exe[2536] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00BF0062
.text C:\WINDOWS\system32\dllhost.exe[2536] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BF0047
.text C:\WINDOWS\system32\dllhost.exe[2536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BD0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat B2F62D20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

[Billy O'Neal]

Hello, scansdale
Here's the internet problem:

Quote:

O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\TEMP\ntdll64.dll File not found
O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\TEMP\ntdll64.dll File not found

Here's the desktop problem:

Quote:

O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSetActiveDesktop = 1
O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1

Time to get those fixed! :)

We need to run an OTListIt2 Fix

1. Please reopen on your desktop.
2. Copy and Paste the following code into the textbox. Do not include the word "Code"
   
   Code:

   :files
   C:\PROGRA~1\MACROG~1\SWEETI~1
   C:\WINDOWS\TEMP\ntdll64.dll
   C:\WINDOWS\System\service.exe
   C:\WINDOWS\System32\senekalog.dat
   C:\dkn.exe
   C:\RESTORE
   C:\niggor.exe
   C:\WINDOWS\System32\kazaabackupfiles
   C:\WINDOWS\System32\drivers\seneka.sys
   C:\WINDOWS\System32\warning.gif
   C:\Documents and Settings\All Users\Documents\microsoft
   C:\WINDOWS\System32\test.ttt
   C:\WINDOWS\System32\uniq.tll
   C:\WINDOWS\System32\41B807F0D2.sys
   C:\br.exe
   C:\giff.exe
   :otli
   O2 - BHO: (SWEETIE Class) - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll File not found
   O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
   O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
   O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
   O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableTaskMgr = 1
   O7 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZJxdm035YYGB
   O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000009 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000010 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000011 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000012 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000013 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000014 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000015 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000016 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O10 - Protocol_Catalog9\Catalog_Entries\000000000017 - C:\WINDOWS\TEMP\ntdll64.dll File not found
   O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: //@install.mar@/ ([]msni in My Computer)
   O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: //@mail.mar@/ ([]msni in Local intranet)
   O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: internet ([]about in Trusted sites)
   O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: mcafee.com ([]http in Trusted sites)
   O15 - HKU\S-1-5-21-3392501505-471593205-1300404183-1005\..Trusted Sites: mcafee.com ([]https in Trusted sites)
   O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} http://ak.exe.imgfarm.com/images/noc...tup1.0.1.1.cab (Reg Error: Key error.)
   :reg
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
   "FirstRunDisabled" =-
   "AntiVirusDisableNotify" =-
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
   "DisableMonitoring" =-
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
   "DisableMonitoring" =-

3. Push
4. OTLI2 may ask to reboot the machine. Please do so if asked.
5. Click .
6. A report will open. Copy and Paste that report in your next reply.

In your next reply, please include the following:

• OTListIt2 Fix Log

Billy3