Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

StealthMBR!mbr

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

StealthMBR!mbr

Unread postby HalibutStance » March 7th, 2009, 8:05 pm

Greetings, all: I'm using Cox Cable (US)'s McAfee Security Suite. Since Thursday evening I have gotten McAfee pop-up notifications on boot-up, that the suite had detected StealthMBR!mbr in any &/or all of the following locations: G:\, G:\Desktop.ini, I:\ and I:\Desktop.ini - neither of these drives have a Desktop file (that I know of), and the F drive is my boot drive on this computer. The popup ID's it as an unquarantineable trojan & recommends I reboot & run a scan - which I have done, but when complete the suite states no problems detected. I've looked for a solution online, but I'm confused by what I have seen - I'm just a home enduser, not a registry whiz or any other sort of expert user.

If anyone needs any futher info, let me know. Thanks in advance for any and all assistance you can give me with this problem. The HijackThis log is as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:44 PM, on 3/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Google\Update\GoogleUpdate.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\McAfee.com\Agent\mcagent.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\ASUS\AI Nap\AiNap.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\essspk.exe
F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
F:\WINDOWS\system32\cisvc.exe
F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
F:\Program Files\AMD\RAIDXpert\_jvm\bin\java.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\Program Files\McAfee\SiteAdvisor\McSACore.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\WINDOWS\system32\fxssvc.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\WINDOWS\system32\cidaemon.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - f:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - f:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [mcagent_exe] F:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MediaFace Integration] F:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Ai Nap] "F:\Program Files\ASUS\AI Nap\AiNap.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] F:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -c
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [LightScribe Control Panel] F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [SUPERAntiSpyware] F:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = F:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224128433955
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224135004234
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - f:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AMD RAIDXpert (AMDRAIDXpert) - Unknown owner - F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
O23 - Service: Google Update Service (gupdate1c98cb92d37006c) (gupdate1c98cb92d37006c) - Google Inc. - F:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - F:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - F:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - F:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - F:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: stllssvr - Unknown owner - F:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

--
End of file - 10542 bytes
HalibutStance
Active Member
 
Posts: 9
Joined: March 7th, 2009, 7:48 pm
Location: (Fabulous) Las Vegas
Advertisement
Register to Remove

Re: StealthMBR!mbr

Unread postby Carolyn » March 15th, 2009, 1:28 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.



Step 1

Image
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Step 2

Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

If you receive no notice, click on the Scan button.

  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.

In your next reply, please post:

  1. DDS.txt
  2. Attach.txt
  3. Gmer.txt
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: StealthMBR!mbr

Unread postby HalibutStance » March 15th, 2009, 4:15 pm

Thanks very much for your assistance, Carolyn. Here are the logs you requested; I will patiently await your response:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Study at 10:58:48.59 on Sun 03/15/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1093 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Google\Update\GoogleUpdate.exe
F:\Program Files\McAfee.com\Agent\mcagent.exe
F:\Program Files\ASUS\AI Nap\AiNap.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\essspk.exe
F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
F:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
F:\Program Files\AMD\RAIDXpert\_jvm\bin\java.exe
F:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe
F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
F:\Program Files\McAfee\SiteAdvisor\McSACore.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\WINDOWS\system32\ctfmon.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
F:\Program Files\Messenger\msmsgs.exe
f:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\WINDOWS\System32\snmp.exe
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\WINDOWS\system32\fxssvc.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\WINDOWS\system32\SearchProtocolHost.exe
F:\Documents and Settings\Study\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - f:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - f:\progra~1\spybot~1\SDHelper.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - f:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - f:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - f:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - f:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "f:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [Uniblue RegistryBooster 2009] f:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [LightScribe Control Panel] f:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [SpybotSD TeaTimer] f:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "f:\program files\messenger\msmsgs.exe" /background
mRun: [IMJPMIG8.1] "f:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] f:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] f:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [mcagent_exe] f:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [Adobe Reader Speed Launcher] "f:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [MediaFace Integration] f:\program files\fellowes\mediaface 4.2\SetHook.exe
mRun: [Ai Nap] "f:\program files\asus\ai nap\AiNap.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE f:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [EssSpkPhone] essspk.exe -c
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Ad-Watch] f:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE f:\windows\system32\NvCpl.dll,NvStartup
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "f:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [DMXLauncher] "f:\program files\roxio\cineplayer\DMXLauncher.exe"
mRun: [RoxioDragToDisc] "f:\program files\roxio\drag-to-disc\DrgToDsc.exe"
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - f:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - f:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - f:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - f:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - f:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - f:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224128433955
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224135004234
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - f:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: LBTWlgn - f:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - f:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;f:\windows\system32\drivers\Lbd.sys [2009-3-9 64160]
R1 mfehidk;McAfee Inc. mfehidk;f:\windows\system32\drivers\mfehidk.sys [2008-10-17 201320]
R2 AMDRAIDXpert;AMD RAIDXpert;f:\program files\amd\raidxpert\jetty\extra\win32\Wrapper.exe [2003-9-29 110592]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
R2 LBeepKE;LBeepKE;f:\windows\system32\drivers\LBeepKE.sys [2008-12-3 10384]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;f:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-17 206096]
R2 McProxy;McAfee Proxy Service;f:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-17 359248]
R2 McShield;McAfee Real-time Scanner;f:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-17 144704]
R3 McSysmon;McAfee SystemGuards;f:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-17 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;f:\windows\system32\drivers\mfeavfk.sys [2008-10-17 79304]
R3 mfebopk;McAfee Inc. mfebopk;f:\windows\system32\drivers\mfebopk.sys [2008-10-17 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;f:\windows\system32\drivers\mfesmfk.sys [2008-10-17 40488]
S2 gupdate1c98cb92d37006c;Google Update Service (gupdate1c98cb92d37006c);f:\program files\google\update\GoogleUpdate.exe [2009-2-11 133104]
S3 mferkdk;McAfee Inc. mferkdk;f:\windows\system32\drivers\mferkdk.sys [2008-10-17 33832]
S3 papycpu;papycpu;f:\windows\system32\drivers\papycpu.sys [2008-11-29 1888]

=============== Created Last 30 ================

2009-03-10 20:51 56,056 a------- f:\windows\system32\DLAAPI_W.DLL
2009-03-10 20:51 51,768 a------- f:\windows\system32\drivers\DRVNDDM.SYS
2009-03-10 20:51 28,120 a------- f:\windows\system32\drivers\DLARTL_M.SYS
2009-03-10 20:51 12,856 a------- f:\windows\system32\drivers\DLACDBHM.SYS
2009-03-10 20:51 92,920 a------- f:\windows\DLA.EXE
2009-03-10 20:51 <DIR> --d----- f:\windows\system32\DLA
2009-03-10 20:50 <DIR> --d----- f:\program files\common files\SureThing Shared
2009-03-09 11:15 15,688 a------- f:\windows\system32\lsdelete.exe
2009-03-09 10:46 <DIR> --d----- f:\program files\Spybot - Search & Destroy
2009-03-09 10:46 <DIR> --d----- f:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-09 10:31 64,160 a------- f:\windows\system32\drivers\Lbd.sys
2009-03-09 09:42 <DIR> -cd-h--- f:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-09 09:42 <DIR> --d----- f:\program files\Lavasoft
2009-03-09 09:19 <DIR> --d----- f:\program files\SpywareBlaster
2009-03-07 12:14 <DIR> --d----- f:\program files\Trend Micro
2009-03-05 20:28 <DIR> --d----- f:\docume~1\study\applic~1\McAfee
2009-03-05 17:16 <DIR> --d----- f:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-05 17:15 <DIR> --d----- f:\program files\SUPERAntiSpyware
2009-03-05 17:15 <DIR> --d----- f:\docume~1\study\applic~1\SUPERAntiSpyware.com
2009-02-28 20:15 118,132 a------- F:\979772-US_Army_maps_v_16.kmz
2009-02-24 15:38 1,089,593 -c------ f:\windows\system32\dllcache\ntprint.cat
2009-02-19 19:16 <DIR> --d----- f:\program files\QuickMediaConverter
2009-02-18 22:57 <DIR> --d----- f:\docume~1\study\applic~1\AVS4YOU
2009-02-18 22:57 <DIR> --d----- f:\docume~1\alluse~1\applic~1\AVS4YOU
2009-02-18 22:56 <DIR> --d----- f:\program files\common files\AVSMedia
2009-02-18 22:56 1,700,352 a------- f:\windows\system32\GdiPlus.dll
2009-02-18 22:56 24,576 a------- f:\windows\system32\msxml3a.dll
2009-02-18 22:56 <DIR> --d----- f:\program files\AVS4YOU
2009-02-17 14:10 <DIR> --d----- F:\71e30bc844ae2a386853
2009-02-16 13:31 <DIR> --d----- f:\docume~1\study\applic~1\SuperNZB
2009-02-16 13:30 <DIR> --d----- f:\program files\SuperNZB
2009-02-15 18:23 <DIR> --d----- f:\program files\LightScribe Template Labeler

==================== Find3M ====================

2009-03-10 10:42 410,984 a------- f:\windows\system32\deploytk.dll
2009-02-09 04:13 1,846,784 a------- f:\windows\system32\win32k.sys
2008-12-20 16:15 826,368 a------- f:\windows\system32\wininet.dll

============= FINISH: 10:59:28.54 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 10/15/2008 7:37:35 PM
System Uptime: 3/13/2009 7:53:01 PM (39 hours ago)

Motherboard: ASUSTeK Computer INC. | | M3A78-EM
Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 6000+ | AM2 | 3113/200mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 126.638 GiB free.
E: is FIXED (NTFS) - 6 GiB total, 5.883 GiB free.
F: is FIXED (NTFS) - 75 GiB total, 46.397 GiB free.
G: is FIXED (NTFS) - 70 GiB total, 22.51 GiB free.
H: is FIXED (NTFS) - 70 GiB total, 23.1 GiB free.
I: is FIXED (NTFS) - 37 GiB total, 16.26 GiB free.
X: is CDROM ()
Y: is CDROM ()
Z: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 3/5/2009 7:14:52 PM - System Checkpoint
RP2: 3/5/2009 7:16:12 PM - Post-Trojan Removal Attempts
RP3: 3/6/2009 7:54:01 PM - System Checkpoint
RP4: 3/7/2009 12:04:48 PM - Removed Roxio Update Manager
RP5: 3/7/2009 12:07:53 PM - Removed Roxio Easy Media Creator
RP6: 3/8/2009 8:16:31 AM - Uniblue RegistryBooster 2009
RP7: 3/9/2009 5:49:03 AM - Removed SUPERAntiSpyware Free Edition
RP8: 3/9/2009 10:15:35 AM - Ad-Aware Checkpoint
RP9: 3/9/2009 10:29:27 AM - Uniblue RegistryBooster 2009
RP10: 3/10/2009 9:41:37 AM - Removed Java(TM) 6 Update 11
RP11: 3/10/2009 9:42:03 AM - Installed Java(TM) 6 Update 12
RP12: 3/10/2009 11:28:27 AM - Uniblue RegistryBooster 2009
RP13: 3/10/2009 7:46:27 PM - Installed Roxio Easy Media Creator
RP14: 3/10/2009 9:00:14 PM - Software Distribution Service 3.0
RP15: 3/12/2009 4:00:58 PM - System Checkpoint
RP16: 3/13/2009 4:10:59 PM - System Checkpoint
RP17: 3/14/2009 4:21:51 PM - System Checkpoint
RP18: 3/15/2009 6:41:34 AM - Software Distribution Service 3.0

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 2.0
Adobe Reader 9
AI Nap
ASUSUpdate
Canon iP4500 series
CDDRV_Installer
Colin McRae Rally 2
Colin McRae Rally 2005
Cool & Quiet
Critical Update for Windows Media Player 11 (KB959772)
EPSON Copy Utility 3
EPSON Scan
Google Earth
Google Update Helper
Google Updater
Grand Prix Legends
GTR
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Java(TM) 6 Update 12
Java(TM) 6 Update 7
KhalInstallWrapper
LightScribe System Software 1.17.90.1
LightScribe Template Labeler
Logitech SetPoint
McAfee SecurityCenter
MediaFACE 4.2
MediaFACE 4.2 Image Library
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Midtown Madness
Microsoft Monster Truck Madness 2
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Pinball Arcade
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
neroxml
NVIDIA Drivers
PC Probe II
Player
RAIDXpert
Rally Trophy
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Roxio Drag-to-Disc
Roxio Easy Media Creator
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Shockwave
SideWinder Force Feedback Wheel (USB)
Sierra Utilities
Spybot - Search & Destroy
SpywareBlaster 4.1
SuperNZB v3.2.1
U.S. Robotics V.92 PCI Faxmodem
Uniblue RegistryBooster 2009
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office OneNote 2007 Help (KB957245)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

3/9/2009 5:49:06 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
3/9/2009 10:32:14 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the mcmscsvc service.

==== End Of File ===========================

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-15 13:05:43
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xBA92887E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xBA928C10]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB2F5B9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB2F5B958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB2F5B96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB2F5BA57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB2F5BA83]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB2F5BAF1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB2F5BADB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB2F5B9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB2F5BB1D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB2F5BA2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB2F5B930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB2F5B944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB2F5B9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB2F5BB59]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB2F5BAC5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB2F5BAAF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB2F5BA6D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB2F5BB45]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB2F5BB31]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB2F5B996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB2F5B982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB2F5BA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB2F5BB07]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB2F5BA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB2F5B9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B2F5B9D8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B2F5B9AE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2006 7 Bytes JMP B2F5B9EE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E14 5 Bytes JMP B2F5BA04 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E6 7 Bytes JMP B2F5B9C2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB408 5 Bytes JMP B2F5B934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB694 5 Bytes JMP B2F5B948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE52 5 Bytes JMP B2F5B986 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1142 7 Bytes JMP B2F5B970 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11F8 5 Bytes JMP B2F5B95C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1702 5 Bytes JMP B2F5B99A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AA 5 Bytes JMP B2F5BA1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219CA 7 Bytes JMP B2F5BAB3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622042 7 Bytes JMP B2F5BB0B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 806228E0 7 Bytes JMP B2F5BAC9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231B4 7 Bytes JMP B2F5BA71 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C22 7 Bytes JMP B2F5BA5B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623DF2 7 Bytes JMP B2F5BA87 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FD2 7 Bytes JMP B2F5BAF5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062423C 7 Bytes JMP B2F5BADF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B64 5 Bytes JMP B2F5BA31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624E8A 7 Bytes JMP B2F5BB5D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062514A 5 Bytes JMP B2F5BB35 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062583E 5 Bytes JMP B2F5BB49 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625958 5 Bytes JMP B2F5BB21 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 021C0000
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 021C0073
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 021C0F7E
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 021C0058
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 021C0047
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 021C0FAF
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 021C0F41
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 021C0F52
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 021C00C9
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 021C0F26
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 021C0F0B
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 021C002C
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 021C0FDB
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 021C0F63
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 021C001B
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 021C0FCA
.text F:\Program Files\Messenger\msmsgs.exe[192] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 021C00A4
.text F:\Program Files\Messenger\msmsgs.exe[192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE0F9C
.text F:\Program Files\Messenger\msmsgs.exe[192] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0027
.text F:\Program Files\Messenger\msmsgs.exe[192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE000C
.text F:\Program Files\Messenger\msmsgs.exe[192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text F:\Program Files\Messenger\msmsgs.exe[192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0FAD
.text F:\Program Files\Messenger\msmsgs.exe[192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FDE
.text F:\Program Files\Messenger\msmsgs.exe[192] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FF001B
.text F:\Program Files\Messenger\msmsgs.exe[192] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FF006C
.text F:\Program Files\Messenger\msmsgs.exe[192] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FF0FD4
.text F:\Program Files\Messenger\msmsgs.exe[192] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FF000A
.text F:\Program Files\Messenger\msmsgs.exe[192] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FF0FA5
.text F:\Program Files\Messenger\msmsgs.exe[192] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FF0FEF
.text F:\Program Files\Messenger\msmsgs.exe[192] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FF0047
.text F:\Program Files\Messenger\msmsgs.exe[192] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FF0036
.text F:\Program Files\Messenger\msmsgs.exe[192] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F60000
.text F:\Program Files\Messenger\msmsgs.exe[192] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 021B0FEF
.text F:\Program Files\Messenger\msmsgs.exe[192] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 021B000A
.text F:\Program Files\Messenger\msmsgs.exe[192] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 021B0FDE
.text F:\Program Files\Messenger\msmsgs.exe[192] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 021B0FCD
.text f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[544] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[544] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01350FEF
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01350089
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01350F94
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01350078
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01350051
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01350FC0
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01350F4B
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01350F68
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01350F1F
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01350F30
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 013500DD
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01350FAF
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0135000A
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01350F79
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0135002C
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0135001B
.text F:\WINDOWS\system32\services.exe[788] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 013500AE
.text F:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01340011
.text F:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01340069
.text F:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01340000
.text F:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01340FD4
.text F:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0134004E
.text F:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01340FEF
.text F:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0134003D
.text F:\WINDOWS\system32\services.exe[788] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0134002C
.text F:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01330FCA
.text F:\WINDOWS\system32\services.exe[788] msvcrt.dll!system 77C293C7 5 Bytes JMP 01330055
.text F:\WINDOWS\system32\services.exe[788] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01330FEF
.text F:\WINDOWS\system32\services.exe[788] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01330000
.text F:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01330044
.text F:\WINDOWS\system32\services.exe[788] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0133001D
.text F:\WINDOWS\system32\services.exe[788] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01320000
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F50FEF
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F50F57
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F5004C
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F50F72
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F50F8D
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F50FA8
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F50098
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F50071
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F500BD
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F50F24
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00F500D8
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00F5002F
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00F50FDE
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00F50F46
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00F5000A
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00F50FB9
.text F:\WINDOWS\system32\lsass.exe[800] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00F50F35
.text F:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00F40000
.text F:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00F40040
.text F:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00F40FAF
.text F:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00F40FCA
.text F:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00F40F83
.text F:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00F40FE5
.text F:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00F40F94
.text F:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [14, 89] {ADC AL, 0x89}
.text F:\WINDOWS\system32\lsass.exe[800] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00F4001B
.text F:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C40070
.text F:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C4005F
.text F:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C40FEF
.text F:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C40000
.text F:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C40044
.text F:\WINDOWS\system32\lsass.exe[800] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C40029
.text F:\WINDOWS\system32\lsass.exe[800] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0FE5
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025F0FE5
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025F0F79
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025F006E
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025F0F94
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025F0051
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025F0036
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025F00AB
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025F009A
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025F00C6
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025F0F2D
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 025F0F08
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 025F0FA5
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 025F0000
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 025F0089
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 025F0FD4
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 025F0025
.text F:\WINDOWS\system32\svchost.exe[1028] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 025F0F3E
.text F:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 025E0FD4
.text F:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 025E004A
.text F:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 025E0FEF
.text F:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 025E0025
.text F:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 025E0F8D
.text F:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 025E0000
.text F:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 025E0FA8
.text F:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [7E, 8A] {JLE 0xffffffffffffff8c}
.text F:\WINDOWS\system32\svchost.exe[1028] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 025E0FB9
.text F:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025D0038
.text F:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!system 77C293C7 5 Bytes JMP 025D0027
.text F:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025D0FC8
.text F:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025D0000
.text F:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025D0FB7
.text F:\WINDOWS\system32\svchost.exe[1028] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025D0FE3
.text F:\WINDOWS\system32\svchost.exe[1028] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0000
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090000
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01090093
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01090F9E
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01090FAF
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090062
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01090040
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01090F72
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01090F83
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01090F3F
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01090F50
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 010900FD
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01090051
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01090FE5
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 010900AE
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 0109002F
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 01090FD4
.text F:\WINDOWS\system32\svchost.exe[1092] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 01090F61
.text F:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00FF0FD4
.text F:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00FF0076
.text F:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00FF0025
.text F:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00FF0FEF
.text F:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00FF0FB9
.text F:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00FF0000
.text F:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00FF005B
.text F:\WINDOWS\system32\svchost.exe[1092] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00FF0036
.text F:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE003D
.text F:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE002C
.text F:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0FCD
.text F:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text F:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0FBC
.text F:\WINDOWS\system32\svchost.exe[1092] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0FDE
.text F:\WINDOWS\system32\svchost.exe[1092] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0FEF
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 023B0FEF
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 023B0054
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 023B0F5F
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 023B0039
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 023B0028
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 023B0F97
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 023B0085
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 023B0F3D
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 023B0F07
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 023B0F18
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 023B0EEC
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 023B0F86
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 023B0FDE
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 023B0F4E
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 023B0FB2
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 023B0FC3
.text F:\WINDOWS\System32\svchost.exe[1188] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 023B0096
.text F:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02390FC0
.text F:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02390F8D
.text F:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02390FDB
.text F:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 02390011
.text F:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0239004A
.text F:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02390000
.text F:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02390F9E
.text F:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [59, 8A]
.text F:\WINDOWS\System32\svchost.exe[1188] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02390FAF
.text F:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02380049
.text F:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!system 77C293C7 5 Bytes JMP 02380038
.text F:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02380FD2
.text F:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02380000
.text F:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02380027
.text F:\WINDOWS\System32\svchost.exe[1188] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02380FEF
.text F:\WINDOWS\System32\svchost.exe[1188] WS2_32.dll!socket 71AB4211 3 Bytes JMP 02370000
.text F:\WINDOWS\System32\svchost.exe[1188] WS2_32.dll!socket + 4 71AB4215 1 Byte [90]
.text F:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 023A0000
.text F:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 023A0011
.text F:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 023A0FD1
.text F:\WINDOWS\System32\svchost.exe[1188] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 023A002C
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C70000
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C70F79
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C7006E
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C7005D
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C70036
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C70FB9
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C70090
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C7007F
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C70F12
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C70F23
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C70EF7
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C70F94
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C70FEF
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C70F5E
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C70FCA
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C7001B
.text F:\WINDOWS\system32\svchost.exe[1432] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C700A1
.text F:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00A10036
.text F:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00A10062
.text F:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00A10025
.text F:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00A10000
.text F:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00A10FA5
.text F:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00A10FEF
.text F:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00A10051
.text F:\WINDOWS\system32\svchost.exe[1432] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00A10FCA
.text F:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A0002C
.text F:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A00011
.text F:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A00FC6
.text F:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A00FEF
.text F:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A00FA1
.text F:\WINDOWS\system32\svchost.exe[1432] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A00000
.text F:\WINDOWS\system32\svchost.exe[1432] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009F0000
.text F:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00A20FEF
.text F:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00A20FDE
.text F:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00A2000A
.text F:\WINDOWS\system32\svchost.exe[1432] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00A20025
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E50FEF
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50F6D
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50062
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50051
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50F9E
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E5002F
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E50F52
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E5008E
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E50F2D
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E500C6
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00E500E1
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00E50040
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00E50FD4
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00E5007D
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00E50014
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00E50FC3
.text F:\WINDOWS\Explorer.EXE[1892] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00E500B5
.text F:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00DD0FA8
.text F:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00DD0F7C
.text F:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00DD0FC3
.text F:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00DD0FD4
.text F:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00DD002F
.text F:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00DD0FE5
.text F:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00DD001E
.text F:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00DD0F97
.text F:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00DC0042
.text F:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!system 77C293C7 5 Bytes JMP 00DC0031
.text F:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00DC0FC1
.text F:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00DC0FEF
.text F:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00DC0016
.text F:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00DC0FD2
.text F:\WINDOWS\Explorer.EXE[1892] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00DE0000
.text F:\WINDOWS\Explorer.EXE[1892] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00DE0FDB
.text F:\WINDOWS\Explorer.EXE[1892] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00DE0FC0
.text F:\WINDOWS\Explorer.EXE[1892] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00DE0FA5
.text F:\WINDOWS\Explorer.EXE[1892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DA0FE5
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BB0FEF
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BB0071
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BB0060
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BB0F7C
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BB002F
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BB0FA8
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BB0F50
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BB0F61
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BB0F10
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BB0F2B
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BB00CE
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BB0F8D
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BB000A
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BB0082
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BB0FB9
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BB0FD4
.text F:\WINDOWS\system32\svchost.exe[2908] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BB00B3
.text F:\WINDOWS\system32\svchost.exe[2908] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00BA0FCA
.text F:\WINDOWS\system32\svchost.exe[2908] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00BA0F8A
.text F:\WINDOWS\system32\svchost.exe[2908] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00BA0FDB
.text F:\WINDOWS\system32\svchost.exe[2908] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00BA0011
.text F:\WINDOWS\system32\svchost.exe[2908] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00BA0047
.text F:\WINDOWS\system32\svchost.exe[2908] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00BA0000
.text F:\WINDOWS\system32\svchost.exe[2908] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00BA0FA5
.text F:\WINDOWS\system32\svchost.exe[2908] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [DA, 88]
.text F:\WINDOWS\system32\svchost.exe[2908] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00BA0036
.text F:\WINDOWS\system32\svchost.exe[2908] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B90F9E
.text F:\WINDOWS\system32\svchost.exe[2908] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B90FC3
.text F:\WINDOWS\system32\svchost.exe[2908] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B90029
.text F:\WINDOWS\system32\svchost.exe[2908] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B90FEF
.text F:\WINDOWS\system32\svchost.exe[2908] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B90FDE
.text F:\WINDOWS\system32\svchost.exe[2908] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B9000C
.text F:\WINDOWS\system32\SearchIndexer.exe[4012] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 00585C0C F:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-24 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\ultra \Device\Scsi\ultra1Port4Path0Target3Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\ultra \Device\Scsi\ultra1Port4Path0Target1Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\ultra \Device\Scsi\ultra1Port4Path0Target2Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\ultra \Device\Scsi\ultra1Port4Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\ultra \Device\Scsi\ultra1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----
HalibutStance
Active Member
 
Posts: 9
Joined: March 7th, 2009, 7:48 pm
Location: (Fabulous) Las Vegas

Re: StealthMBR!mbr

Unread postby Carolyn » March 16th, 2009, 6:31 pm

Hello,

Registry Cleaners

I notice the presence of Uniblue RegistryBooster 2009 Registry Cleaner on your pc.

I don't personally recommend the use of ANY registry cleaners.
Here is an excerpt from a discussion on regcleaners
Most reg cleaners aren't "bad" as such, but they aren't perfect and even the best have been known to cause problems.
The point we are trying to make is that the risk of using one far outweighs any benefit.
If it does work perfectly you will not see any difference
If it doesn't work properly you may end up with an expensive doorstop.

http://forums.whatthetech.com/Regcleaner_t42862.html

===================================

I am not seeing any signs of StealthMBR on your computer. It definitely would have shown up in the GMER scan if that were there... But just to be over-cautious, I would like to do one more scan.


Disable Spybot's TeaTimer. This is a two step process.

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.


Disable Ad-Aware

    First please disable Ad-Aware as it may interfere with repairs.

    • Click the Settings button, Auto Scans tab, and under "Scan on Ad-Aware startup",
    • be sure both selections for "No automated scan" are checked (green).
    • Then click Save and close Ad-Aware.

========================================

  1. Download Dr. Web CureIt and save it to your desktop.
  2. Double click on cureit.exe to run it.
  3. Click on Start to start the scan.
  4. Dr Web CureIt will prompt you. Click OK.
  5. This will start an express scan. It shouldn't take too long.
  6. When done, click on Options > Change settings.
  7. Select the Scan tab. Uncheck (untick) Heuristics analysis box.
  8. Select the Log file tab. Uncheck (untick) Maximum log file size box.
  9. Click OK to apply the settings.
  10. Select the Complete scan radio button, then click on the green triangle button on the right hand side.
  11. It will start scanning. Please be patient as this scan can be long.
  12. During the scan, if it finds any infected items, it will prompt you. Click Yes to all to cure the files.
  13. Click on File > Save report list. Save this report to a convenient location.

========================================

Please post the report from DrWeb CureIt along with a fresh HijackThis log and a description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: StealthMBR!mbr

Unread postby HalibutStance » March 17th, 2009, 10:24 am

Well ... THAT was interesting. There were items there, but they appear to have been taken care of.

First, after reading the link you provided to me regarding registry cleaners, I have attempted to uninstall Uniblue RegistryBooster through Control Panel - it seemed the prudent thing to do in light of the potential negatives.

I disabled TeaTimer; no problems there. I'm running Ad-Aware Free "Anniversary Edition" - it does not provide for auto scanning, so there was nothing to disable.

On the express scan, Dr. Web CureIt found 3 items: "Infected with BackDoor.MaosBoot". It took me straight to a "repair" prompt, so I was unable to save the log, such as it was. I elected to repair; all 3 instances were stated by the propts to be located at F:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\gdiplus.dll (I hope I transcribed this correctly). After the reipairs were effected the computer rebooted - and there were no McAfee Trojan notifications upon startup. I ran a complete scan and no items were identified; hence, I was provided with no option allowing me to save a log. Here is the subsequent HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:59:20 PM, on 3/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Google\Update\GoogleUpdate.exe
F:\Program Files\McAfee.com\Agent\mcagent.exe
F:\Program Files\ASUS\AI Nap\AiNap.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\essspk.exe
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
F:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\AMD\RAIDXpert\_jvm\bin\java.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\Program Files\McAfee\SiteAdvisor\McSACore.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\WINDOWS\system32\fxssvc.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - f:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - f:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [mcagent_exe] F:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MediaFace Integration] F:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Ai Nap] "F:\Program Files\ASUS\AI Nap\AiNap.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -c
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Ad-Watch] F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RoxWatchTray] "F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "F:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [LightScribe Control Panel] F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = F:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224128433955
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224135004234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - f:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AMD RAIDXpert (AMDRAIDXpert) - Unknown owner - F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
O23 - Service: Google Update Service (gupdate1c98cb92d37006c) (gupdate1c98cb92d37006c) - Google Inc. - F:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - F:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - F:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - F:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - F:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - F:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10957 bytes

There is one more nagging little item in this box that bothers me a bit: I installed an old fax modem and downloaded a driver for it, which I never got to work. Unfortunately, a little gift came with the modem driver, a Modem On Hold Utility which blinks a control panel on startup and which dropped a little yellow telephone icon onto my tray. When I point at it it says "Right click on me!", which seems a bit too enthusiastic for a modem. If I elect to "Exit MOH Application" on its control panel it warns "You pressed EXIT button. Modem On Hold and Initiate Call will be disabled. If you're online currently, the sustem may be corrupted! Are you sure to terminate this program?", which sounds vaguely threatening, stilted English and all. Are you aware of any way I can get rid of this little nuisance? I would be happy to start another thread if that is what would be necessary to solve this issue.

Thanks so much for your assistance, Carolyn. The service you and your cohorts are providing for the rest of us is invaluable. It is such a relief to have confidence regarding my computer's internet connection again.
HalibutStance
Active Member
 
Posts: 9
Joined: March 7th, 2009, 7:48 pm
Location: (Fabulous) Las Vegas

Re: StealthMBR!mbr

Unread postby HalibutStance » March 18th, 2009, 10:31 am

Whoops - I spoke too soon. One of my hard drives (which was divided into two partitions, G and H) has disappeared - or, rather, has been redefined as a single "unallocated" drive. The G is one of the drives the Trojan seemed to have taken residence on ... have to go to work now ...
HalibutStance
Active Member
 
Posts: 9
Joined: March 7th, 2009, 7:48 pm
Location: (Fabulous) Las Vegas

Re: StealthMBR!mbr

Unread postby Carolyn » March 18th, 2009, 2:20 pm

Hi,

One of my hard drives (which was divided into two partitions, G and H) has disappeared - or, rather, has been redefined as a single "unallocated" drive. The G is one of the drives the Trojan seemed to have taken residence on ...


Sounds like that hard drive failed. :( You will have to post at one of the general computer troubleshooting forums for assistance with that problem. Let's do one more scan first though to make certain that your computer is clean.

===========================

Disable EasySpeak Call Waiting
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside the item listed below (if present):

    O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -c

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

===========================

Remove Outdated Java
Older versions have vulnerabilities that malware can use to infect your system.

Please Click Start > Control Panel > Add/Remove Programs
Remove this program by clicking Remove

Java(TM) 6 Update 7

===========================

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply alongwith a fresh HijackThis log and a description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: StealthMBR!mbr

Unread postby HalibutStance » March 19th, 2009, 10:19 am

Thanks to your guidance, EasySpeak Call Waiting, whatever that was, is GONE. And Java(TM) 6 Update 7 has been eradicated as well. However ...

I tried to run the Kaspersky online virus scan, but when I was prompted to install the associated ActiveX app I was told by a dialog box in no uncertain terms that "Windows has blocked this software because it can't verify the publisher." In the hope that I could get something good to happen, I dumped Cox Security Suite by McAfee and installed the trial Kaspersky Internet Security 2009. I still got "Windows has blocked this software..." Meh. I started to run a full scan in Kaspersky Internet Security, but by the time I got up this morning it indicated the scan was only 5% complete ... after 8-1/2 hours. It seems to have gotten bogged down in my uploaded video files. I stopped the full scan and ran a quick scan, which indicated no items. But I'm attempting a full scan again, being more patient(!) this time.

I'll post the requested logs once this scan wraps up - assuming it ever does! ;~)
HalibutStance
Active Member
 
Posts: 9
Joined: March 7th, 2009, 7:48 pm
Location: (Fabulous) Las Vegas

Re: StealthMBR!mbr

Unread postby Carolyn » March 19th, 2009, 10:43 am

HalibutStance wrote:I tried to run the Kaspersky online virus scan, but when I was prompted to install the associated ActiveX app I was told by a dialog box in no uncertain terms that "Windows has blocked this software because it can't verify the publisher."


That is strange, the Kaspersky online scan does not use ActiveX - it uses Java.

In the hope that I could get something good to happen, I dumped Cox Security Suite by McAfee and installed the trial Kaspersky Internet Security 2009. I still got "Windows has blocked this software..." Meh. I started to run a full scan in Kaspersky Internet Security, but by the time I got up this morning it indicated the scan was only 5% complete ... after 8-1/2 hours.


Did you completely uninstall McAfee before installing Kaspersky Internet Security? Please stop that scan. It is not a replacement for the online scan I requested and it should not take that long to run.

Please do the following:
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: StealthMBR!mbr

Unread postby HalibutStance » March 19th, 2009, 9:56 pm

I double-checked my McAfee uninstall - there was a McAfee folder lurking about under Programs in the Startup file of the Study account. It's been deleted.

Requested logs:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Study at 2009-03-19 18:48:00
Microsoft Windows XP Home Edition Service Pack 3
System drive F: has 46 GB (61%) free of 76 GB
Total RAM: 2047 MB (66% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:09 PM, on 3/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Google\Update\GoogleUpdate.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ASUS\AI Nap\AiNap.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
F:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
F:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\Program Files\AMD\RAIDXpert\_jvm\bin\java.exe
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\fxssvc.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Study\Desktop\RSIT.exe
F:\Program Files\Trend Micro\HijackThis\Study.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MediaFace Integration] F:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Ai Nap] "F:\Program Files\ASUS\AI Nap\AiNap.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Ad-Watch] F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RoxWatchTray] "F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "F:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [LightScribe Control Panel] F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = F:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224128433955
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224135004234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,F:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,F:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AMD RAIDXpert (AMDRAIDXpert) - Unknown owner - F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Update Service (gupdate1c98cb92d37006c) (gupdate1c98cb92d37006c) - Google Inc. - F:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - F:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - F:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - F:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - F:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10219 bytes

======Scheduled tasks folder======

F:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
F:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C}]
IEVkbdBHO Class - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll [2008-11-11 62728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - F:\Program Files\Java\jre6\bin\ssv.dll [2009-03-10 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - F:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-17 652784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - F:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-10 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-10 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"Adobe Reader Speed Launcher"=F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]
"MediaFace Integration"=F:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe [2005-03-28 53248]
"Ai Nap"=F:\Program Files\ASUS\AI Nap\AiNap.exe [2008-05-26 1423360]
"NvMediaCenter"=F:\WINDOWS\system32\NvMcTray.dll [2008-09-18 86016]
"Kernel and Hardware Abstraction Layer"=F:\WINDOWS\KHALMNPR.EXE [2008-10-10 69632]
"RTHDCPL"=F:\WINDOWS\RTHDCPL.EXE [2008-05-15 16862720]
"Alcmtr"=F:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"Ad-Watch"=F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe [2009-03-09 515416]
"NvCplDaemon"=F:\WINDOWS\system32\NvCpl.dll [2008-09-18 13574144]
""= []
"RoxWatchTray"=F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [2007-01-11 232184]
"DMXLauncher"=F:\Program Files\Roxio\CinePlayer\DMXLauncher.exe [2007-01-17 109304]
"RoxioDragToDisc"=F:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe [2007-02-12 1121016]
"SunJavaUpdateSched"=F:\Program Files\Java\jre6\bin\jusched.exe [2009-03-10 148888]
"AVP"=F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe [2009-03-18 206088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2008-01-22 152872]
"Uniblue RegistryBooster 2009"=F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S []
"LightScribe Control Panel"=F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2008-12-07 2387968]
"ctfmon.exe"=F:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MSMSGS"=F:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
[]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Logitech SetPoint.lnk - F:\Program Files\Logitech\SetPoint\SetPoint.exe
Windows Search.lnk - F:\Program Files\Windows Desktop Search\WindowsSearch.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,F:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,F:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\klogon]
F:\WINDOWS\system32\klogon.dll [2008-11-11 218376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
f:\program files\common files\logishrd\bluetooth\LBTWlgn.dll [2008-11-07 72208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=F:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Lavasoft Ad-Aware Service]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WdfLoadGroup]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"F:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="F:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-19 18:48:00 ----D---- F:\rsit
2009-03-18 18:55:13 ----D---- F:\Program Files\Kaspersky Lab
2009-03-18 18:55:13 ----D---- F:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-03-18 18:49:32 ----D---- F:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-15 15:45:35 ----D---- F:\Program Files\AudioConverter Studio
2009-03-10 22:00:32 ----HDC---- F:\WINDOWS\$NtUninstallKB960225$
2009-03-10 22:00:29 ----HDC---- F:\WINDOWS\$NtUninstallKB958690$
2009-03-10 22:00:16 ----HDC---- F:\WINDOWS\$NtUninstallKB959772_WM11$
2009-03-10 20:51:03 ----A---- F:\WINDOWS\system32\DLAAPI_W.DLL
2009-03-10 20:51:02 ----D---- F:\WINDOWS\system32\DLA
2009-03-10 20:51:02 ----A---- F:\WINDOWS\DLA.EXE
2009-03-10 20:50:17 ----D---- F:\Program Files\Common Files\SureThing Shared
2009-03-10 10:42:33 ----A---- F:\WINDOWS\system32\javaws.exe
2009-03-10 10:42:33 ----A---- F:\WINDOWS\system32\javaw.exe
2009-03-10 10:42:33 ----A---- F:\WINDOWS\system32\java.exe
2009-03-09 11:15:39 ----A---- F:\WINDOWS\system32\lsdelete.exe
2009-03-09 10:46:55 ----D---- F:\Program Files\Spybot - Search & Destroy
2009-03-09 10:46:55 ----D---- F:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-09 09:42:07 ----HDC---- F:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-09 09:42:02 ----D---- F:\Program Files\Lavasoft
2009-03-09 09:42:02 ----D---- F:\Documents and Settings\All Users\Application Data\Lavasoft
2009-03-09 09:19:25 ----D---- F:\Program Files\SpywareBlaster
2009-03-07 12:14:33 ----D---- F:\Program Files\Trend Micro
2009-03-05 20:28:18 ----D---- F:\Documents and Settings\Study\Application Data\McAfee
2009-03-05 17:16:04 ----D---- F:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-05 17:15:54 ----D---- F:\Documents and Settings\Study\Application Data\SUPERAntiSpyware.com
2009-02-24 17:24:04 ----HDC---- F:\WINDOWS\$NtUninstallKB961118$
2009-02-24 17:23:56 ----HDC---- F:\WINDOWS\$NtUninstallKB967715$

======List of files/folders modified in the last 1 months======

2009-03-19 18:47:47 ----D---- F:\WINDOWS\Prefetch
2009-03-19 18:45:05 ----D---- F:\WINDOWS\Temp
2009-03-19 18:19:12 ----D---- F:\WINDOWS\system32
2009-03-19 18:19:12 ----A---- F:\WINDOWS\system32\PerfStringBackup.INI
2009-03-19 18:15:16 ----A---- F:\WINDOWS\ModemLog_U.S. Robotics V.92 PCI Faxmodem.txt
2009-03-19 18:11:14 ----A---- F:\WINDOWS\SchedLgU.Txt
2009-03-18 20:02:01 ----D---- F:\Documents and Settings\All Users\Application Data\Google Updater
2009-03-18 19:04:35 ----D---- F:\WINDOWS\system32\drivers
2009-03-18 18:58:58 ----D---- F:\WINDOWS
2009-03-18 18:55:56 ----SHD---- F:\WINDOWS\Installer
2009-03-18 18:55:56 ----D---- F:\Config.Msi
2009-03-18 18:55:40 ----HD---- F:\WINDOWS\inf
2009-03-18 18:55:13 ----RD---- F:\Program Files
2009-03-18 18:55:08 ----D---- F:\WINDOWS\system32\CatRoot2
2009-03-18 18:45:38 ----D---- F:\Documents and Settings\All Users\Application Data\McAfee
2009-03-18 18:45:10 ----D---- F:\Program Files\Common Files
2009-03-18 18:43:23 ----SD---- F:\WINDOWS\Tasks
2009-03-18 18:23:40 ----D---- F:\Program Files\Java
2009-03-18 06:53:19 ----D---- F:\WINDOWS\system32\FxsTmp
2009-03-17 05:59:45 ----DC---- F:\WINDOWS\system32\DRVSTORE
2009-03-17 05:53:33 ----AD---- F:\Documents and Settings\All Users\Application Data\TEMP
2009-03-15 17:56:03 ----SD---- F:\WINDOWS\Downloaded Program Files
2009-03-15 16:37:11 ----D---- F:\Documents and Settings\Study\Application Data\SuperNZB
2009-03-14 09:39:52 ----A---- F:\WINDOWS\NeroDigital.ini
2009-03-13 20:38:42 ----D---- F:\Program Files\Microsoft Games
2009-03-10 22:00:34 ----RSHDC---- F:\WINDOWS\system32\dllcache
2009-03-10 22:00:31 ----A---- F:\WINDOWS\imsins.BAK
2009-03-10 21:46:05 ----HD---- F:\WINDOWS\$hf_mig$
2009-03-10 20:51:08 ----D---- F:\Program Files\InterActual
2009-03-10 20:51:03 ----A---- F:\WINDOWS\wininit.ini
2009-03-10 20:51:00 ----D---- F:\Program Files\Roxio
2009-03-10 20:50:04 ----D---- F:\Program Files\Common Files\Sonic Shared
2009-03-10 20:48:36 ----D---- F:\Program Files\Common Files\Roxio Shared
2009-03-10 20:48:24 ----RSD---- F:\WINDOWS\Fonts
2009-03-10 20:47:42 ----D---- F:\Documents and Settings\All Users\Application Data\Roxio
2009-03-10 10:42:07 ----A---- F:\WINDOWS\system32\deploytk.dll
2009-03-09 09:41:59 ----D---- F:\WINDOWS\WinSxS
2009-03-05 20:14:49 ----D---- F:\WINDOWS\system32\Restore
2009-03-05 20:14:48 ----SHD---- F:\System Volume Information
2009-03-05 20:00:55 ----D---- F:\Documents and Settings
2009-03-01 08:04:18 ----D---- F:\Program Files\Microsoft Silverlight
2009-02-25 12:55:00 ----A---- F:\WINDOWS\system32\MRT.exe
2009-02-24 17:24:16 ----D---- F:\WINDOWS\system32\CatRoot
2009-02-21 00:39:47 ----D---- F:\Documents and Settings\Study\Application Data\Roxio

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdPPM;AMD HwPState Processor Driver; F:\WINDOWS\system32\DRIVERS\AmdPPM.sys [2007-04-16 33792]
R1 AsIO;AsIO; F:\WINDOWS\system32\drivers\AsIO.sys [2008-10-22 12400]
R1 DLACDBHM;DLACDBHM; F:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2007-02-08 12856]
R1 DLARTL_M;DLARTL_M; F:\WINDOWS\System32\Drivers\DLARTL_M.SYS [2007-02-08 28120]
R1 kbdhid;Keyboard HID Driver; F:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 KLIF;Kaspersky Lab Driver; F:\WINDOWS\system32\DRIVERS\klif.sys [2009-03-18 226832]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; F:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 DLABMFSM;DLABMFSM; F:\WINDOWS\System32\DLA\DLABMFSM.SYS [2006-11-01 35064]
R2 DLABOIOM;DLABOIOM; F:\WINDOWS\System32\DLA\DLABOIOM.SYS [2006-11-01 32472]
R2 DLADResM;DLADResM; F:\WINDOWS\System32\DLA\DLADResM.SYS [2006-11-01 9400]
R2 DLAIFS_M;DLAIFS_M; F:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2006-11-01 104760]
R2 DLAOPIOM;DLAOPIOM; F:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2006-11-01 26744]
R2 DLAPoolM;DLAPoolM; F:\WINDOWS\System32\DLA\DLAPoolM.SYS [2006-11-01 14520]
R2 DLAUDF_M;DLAUDF_M; F:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2006-11-01 98104]
R2 DLAUDFAM;DLAUDFAM; F:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2006-11-01 94648]
R2 DRVNDDM;DRVNDDM; F:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2007-02-09 51768]
R2 LBeepKE;LBeepKE; F:\WINDOWS\System32\Drivers\LBeepKE.sys [2008-09-26 10384]
R2 mdmxsdk;mdmxsdk; F:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-03-17 13059]
R3 Afc;PPdus ASPI Shell; F:\WINDOWS\system32\drivers\Afc.sys [2005-02-23 11776]
R3 Arp1394;1394 ARP Client Protocol; F:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 GcKernel;Microsoft SideWinder Value Add - Filter Driver; F:\WINDOWS\system32\DRIVERS\GcKernel.sys [2008-04-13 59136]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; F:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HIDSwvd;Microsoft SideWinder Virtual HID Device Mini-Driver; F:\WINDOWS\system32\DRIVERS\HIDSwvd.sys [2001-08-17 2688]
R3 hidusb;Microsoft HID Class Driver; F:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; F:\WINDOWS\system32\DRIVERS\USR_MDMV.sys [2005-08-08 1035008]
R3 HSFHWBS2;HSFHWBS2; F:\WINDOWS\system32\DRIVERS\USR_BSC2.sys [2005-08-08 231168]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); F:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-05-20 4800000]
R3 KLFLTDEV;Kaspersky Lab KLFltDev; F:\WINDOWS\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter; F:\WINDOWS\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 LHidFilt;Logitech SetPoint KMDF HID Filter Driver; F:\WINDOWS\system32\DRIVERS\LHidFilt.Sys [2008-09-26 35472]
R3 LMouFilt;Logitech SetPoint KMDF Mouse Filter Driver; F:\WINDOWS\system32\DRIVERS\LMouFilt.Sys [2008-09-26 37392]
R3 mouhid;Mouse HID Driver; F:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 MTsensor;ATK0110 ACPI UTILITY; F:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-14 5810]
R3 NIC1394;1394 Net Driver; F:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; F:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2008-09-18 6132576]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; F:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2007-05-31 96896]
R3 usbccgp;Microsoft USB Generic Parent Driver; F:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; F:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; F:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; F:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; F:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; F:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 Wdf01000;Wdf01000; F:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
R3 winachsf;winachsf; F:\WINDOWS\system32\DRIVERS\HSF_USR.sys [2005-08-08 729728]
S1 AmdK8;AMD Processor Driver; F:\WINDOWS\system32\DRIVERS\AmdK8.sys []
S3 L8042Kbd;Logitech SetPoint Keyboard Driver; F:\WINDOWS\system32\DRIVERS\L8042Kbd.sys [2008-09-26 20240]
S3 LUsbFilt;Logitech SetPoint KMDF USB Filter; F:\WINDOWS\System32\Drivers\LUsbFilt.Sys [2008-09-26 28816]
S3 papycpu;papycpu; F:\WINDOWS\system32\drivers\papycpu.sys [1998-09-14 1888]
S3 SABProcEnum;SABProcEnum; \??\F:\Program Files\Internet Explorer\SABProcEnum.sys []
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); F:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbaudio;USB Audio Driver (WDM); F:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 USBSTOR;USB Mass Storage Driver; F:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; F:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; F:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; F:\WINDOWS\system32\drivers\IntelIde.sys []
S4 RxFilter;RxFilter; F:\WINDOWS\system32\DRIVERS\RxFilter.sys [2006-12-13 50688]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R01000000 papycpu2;papycpu2; F:\WINDOWS\system32\drivers\papycpu2.sys [2001-04-20 2016]
R2 AMDRAIDXpert;AMD RAIDXpert; F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe [2003-09-29 110592]
R2 AVP;Kaspersky Internet Security; F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe [2009-03-18 206088]
R2 Fax;Fax; F:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
R2 gusvc;Google Updater Service; F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-17 168432]
R2 JavaQuickStarterService;Java Quick Starter; F:\Program Files\Java\jre6\bin\jqs.exe [2009-03-10 152984]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service; F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-17 951632]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; F:\Program Files\Common Files\LightScribe\LSSrvc.exe [2008-12-07 73728]
R2 NVSvc;NVIDIA Display Driver Service; F:\WINDOWS\system32\nvsvc32.exe [2008-09-18 163908]
R2 PLFlash DeviceIoControl Service;PLFlash DeviceIoControl Service; F:\WINDOWS\system32\IoctlSvc.exe [2006-12-19 81920]
R2 SNMP;SNMP Service; F:\WINDOWS\System32\snmp.exe [2008-04-13 33280]
R2 WSearch;Windows Search; F:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]
R3 NMIndexingService;NMIndexingService; F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2008-01-22 275752]
S2 gupdate1c98cb92d37006c;Google Update Service (gupdate1c98cb92d37006c); F:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-11 133104]
S2 RoxLiveShare9;LiveShare P2P Server 9; F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe [2007-01-11 310008]
S2 RoxWatch9;Roxio Hard Drive Watcher 9; F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2007-01-11 166648]
S3 ACDaemon;ArcSoft Connect Daemon; F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe []
S3 aspnet_state;ASP.NET State Service; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; F:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; F:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 idsvc;Windows CardSpace; F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 LBTServ;Logitech Bluetooth Service; F:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe [2008-11-07 121360]
S3 LPDSVC;TCP/IP Print Server; F:\WINDOWS\system32\tcpsvcs.exe [2004-08-04 19456]
S3 NBService;NBService; F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2008-04-08 800040]
S3 odserv;Microsoft Office Diagnostics Service; F:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; F:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RoxMediaDB9;RoxMediaDB9; F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-01-11 887544]
S3 SNMPTRAP;SNMP Trap Service; F:\WINDOWS\System32\snmptrap.exe [2008-04-13 8704]
S3 stllssvr;stllssvr; F:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2006-09-14 73728]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; F:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; F:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; F:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.05 2009-03-19 18:48:11

======Uninstall list======

-->F:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->F:\WINDOWS\system32\\MSIEXEC.EXE /x {637099FB-45FD-4BC7-9651-6FB540DBB749}
-->F:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->F:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->F:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->F:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->F:\WINDOWS\UNRecode.exe /UNINSTALL
-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
-->MsiExec.exe /I{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
-->MsiExec.exe /I{1B683082-8791-4D00-8ADE-6C8986FCCC68}
-->MsiExec.exe /I{1E2F8094-9DCD-4B87-ADB3-25CC5A0442FF}
-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
-->MsiExec.exe /I{8D337F77-BE7F-41A2-A7CB-D5A63FD7049B}
-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 F:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Ad-Aware-->"F:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe" REMOVE=TRUE MODIFY=FALSE
Ad-Aware-->F:\Documents and Settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe
Adobe AIR-->F:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->F:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Elements 2.0-->F:\WINDOWS\ISUNINST.EXE -f"F:\Program Files\Adobe\Photoshop Elements 2\Uninst.isu" -c"F:\Program Files\Adobe\Photoshop Elements 2\Uninst.dll"
Adobe Reader 9-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A90000000001}
AI Nap-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{E2216699-EA02-4B85-BAB1-1DF34C4BDF9D}\setup.exe" -l0x9
ASUSUpdate-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\setup.exe" -l0x9
AudioConverter Studio 5.9-->"F:\Program Files\AudioConverter Studio\unins000.exe"
Canon iP4500 series-->"F:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4500_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_iP4500_series /L0x0009
CDDRV_Installer-->MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Colin McRae Rally 2-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{19B72AA9-985A-11D4-9C8A-00D0B75D1498}\setup.exe"
Colin McRae Rally 2005-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{CC67770B-581D-4E96-B72A-A7907CE18725}\setup.exe" -l0x9
Cool & Quiet-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}\setup.exe" -l0x9
Critical Update for Windows Media Player 11 (KB959772)-->"F:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
EPSON Copy Utility 3-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstall
EPSON Scan-->F:\Program Files\epson\escndv\setup\setup.exe /r
Google Earth-->MsiExec.exe /X{548EAC70-EE00-11DD-908C-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"F:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Grand Prix Legends-->F:\WINDOWS\IsUninst.exe -ff:\SIERRA\gpl\Uninst.isu
GTR-->F:\GTR\Support\unins000.exe
High Definition Audio Driver Package - KB888111-->"F:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"F:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->F:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->F:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"F:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"F:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"F:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"F:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"F:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Java(TM) 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Kaspersky Internet Security 2009-->MsiExec.exe /I{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}
Kaspersky Internet Security 2009-->MsiExec.exe /I{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}
KhalInstallWrapper-->MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
LightScribe System Software 1.17.90.1-->MsiExec.exe /X{CB16F6D9-EBC9-4BC6-B917-7AF53E99C067}
LightScribe Template Labeler-->MsiExec.exe /X{FCBE0690-CBE1-4C60-87B0-4A70A6F5434E}
Logitech SetPoint-->"F:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe" -runfromtemp -l0x0009 -removeonly
MediaFACE 4.2 Image Library-->F:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2D6DFE76-A197-4337-90BA-8DCB840CA84B} /l1033
MediaFACE 4.2-->F:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E129EC5D-FC37-4260-B6B7-1113D8613A89} /l1033
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"F:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "F:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->F:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"F:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"F:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"F:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Midtown Madness-->"F:\Program Files\Microsoft Games\Midtown Madness\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Monster Truck Madness 2-->F:\Program Files\Microsoft Games\Monster Truck Madness 2\UNINSTAL.EXE
Microsoft National Language Support Downlevel APIs-->"F:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"F:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Pinball Arcade-->"F:\Program Files\Microsoft Games\Pinball Arcade\UNINSTAL.EXE" /runtemp
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"F:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Nero 7 Ultra Edition-->MsiExec.exe /X{98EFD8F0-08DE-48DB-B922-A2EBAB711033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->F:\WINDOWS\system32\nvuninst.exe UninstallGUI
PC Probe II-->RunDll32 F:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "F:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9
RAIDXpert-->F:\Program Files\InstallShield Installation Information\{8B76B8E9-F773-4B75-A08C-120079EB765E}\setup.exe -runfromtemp -l0x0409
Rally Trophy-->MsiExec.exe /I{42A4EC40-09BC-427C-B657-67978B784058}
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->F:\Program Files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\Setup.exe -runfromtemp -l0x0009 -removeonly
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m -nrg2709
Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Easy Media Creator-->MsiExec.exe /I{B7FB0C86-41A4-4402-9A33-912C462042A0}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"F:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"F:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"F:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"F:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"F:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"F:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"F:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"F:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"F:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923689)-->"F:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->F:\WINDOWS\system32\MacroMed\Flash\genuinst.exe F:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"F:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"F:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"F:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"F:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"F:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"F:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"F:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"F:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"F:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"F:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"F:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"F:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"F:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"F:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"F:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"F:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"F:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"F:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"F:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"F:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"F:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"F:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"F:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"F:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"F:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Shockwave-->F:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE F:\WINDOWS\system32\Macromed\SHOCKW~1\INSTALL.LOG
SideWinder Force Feedback Wheel (USB)-->F:\WINDOWS\IsUninst.exe -f"F:\Program Files\Microsoft Hardware\Game Controllers\Force Feedback Wheel (USB)\Uninst.isu" -c"F:\Program Files\Microsoft Hardware\Game Controllers\Force Feedback Wheel (USB)\Uninstall.dll"
Sierra Utilities-->F:\Program Files\Sierra On-Line\sutil32.exe uninstall
SpywareBlaster 4.1-->"F:\Program Files\SpywareBlaster\unins000.exe"
SuperNZB v3.2.1-->"F:\Program Files\SuperNZB\unins000.exe"
U.S. Robotics V.92 PCI Faxmodem-->F:\Program Files\CONEXANT\USR_MODEM_PCI_VEN_16EC&DEV_2F00&SUBSYS_010A16EC\HXFSETUP.EXE -U -IVEN_16EC&DEV_2F00&SUBSYS_010A16EC&REV_01
Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E}
Update for Microsoft Office Excel 2007 Help (KB957242)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {51864046-74C8-487B-97CD-6167A4B1DB56}
Update for Microsoft Office OneNote 2007 Help (KB957245)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {7332DE60-DC79-4578-A60A-A5EA0D6E032B}
Update for Microsoft Office PowerPoint 2007 Help (KB957247)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {B20E2C59-EEC5-4102-9E50-5DBB2093C37D}
Update for Microsoft Office Word 2007 Help (KB957252)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {54DF3345-0720-4224-9740-C7E00303F565}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Office 2007 (KB946691)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Windows XP (KB951072-v2)-->"F:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"F:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"F:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"F:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->F:\WINDOWS\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Windows Internet Explorer 7-->"F:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"F:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"F:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"F:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"F:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Search 4.0-->"F:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"F:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

=====HijackThis Backups=====

O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe -c

======Hosts File======

127.0.0.1 localhost
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net

======Security center information======

AV: Kaspersky Internet Security
FW: Kaspersky Internet Security

System event log

Computer Name: DAVID-BB87081CA
Event Code: 7036
Message: The Application Management service entered the stopped state.

Record Number: 8820
Source Name: Service Control Manager
Time Written: 20090307120459.000000-480
Event Type: information
User:

Computer Name: DAVID-BB87081CA
Event Code: 7035
Message: The Application Management service was successfully sent a start control.

Record Number: 8819
Source Name: Service Control Manager
Time Written: 20090307120459.000000-480
Event Type: information
User: DAVID-BB87081CA\Study

Computer Name: DAVID-BB87081CA
Event Code: 7023
Message: The Application Management service terminated with the following error:
The specified module could not be found.


Record Number: 8818
Source Name: Service Control Manager
Time Written: 20090307120459.000000-480
Event Type: error
User:

Computer Name: DAVID-BB87081CA
Event Code: 7036
Message: The Application Management service entered the stopped state.

Record Number: 8817
Source Name: Service Control Manager
Time Written: 20090307120459.000000-480
Event Type: information
User:

Computer Name: DAVID-BB87081CA
Event Code: 7035
Message: The Application Management service was successfully sent a start control.

Record Number: 8816
Source Name: Service Control Manager
Time Written: 20090307120459.000000-480
Event Type: information
User: DAVID-BB87081CA\Study

Application event log

Computer Name: DAVID-BB87081CA
Event Code: 0
Message:
Record Number: 41
Source Name: McAfee SiteAdvisor Service
Time Written: 20081204050359.000000-480
Event Type: information
User:

Computer Name: DAVID-BB87081CA
Event Code: 0
Message:
Record Number: 40
Source Name: gusvc
Time Written: 20081204050355.000000-480
Event Type: information
User:

Computer Name: DAVID-BB87081CA
Event Code: 11728
Message: Product: Microsoft Visual C++ 2005 Redistributable -- Configuration completed successfully.

Record Number: 39
Source Name: MsiInstaller
Time Written: 20081203211526.000000-480
Event Type: information
User: DAVID-BB87081CA\Study

Computer Name: DAVID-BB87081CA
Event Code: 11707
Message: Product: CDDRV_Installer -- Installation operation completed successfully.

Record Number: 38
Source Name: MsiInstaller
Time Written: 20081203211508.000000-480
Event Type: information
User: DAVID-BB87081CA\Study

Computer Name: DAVID-BB87081CA
Event Code: 11728
Message: Product: KhalInstallWrapper -- Configuration completed successfully.

Record Number: 37
Source Name: MsiInstaller
Time Written: 20081203211342.000000-480
Event Type: information
User: DAVID-BB87081CA\Study

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=F:\Program Files\Common Files\ArcSoft\Bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;F:\Program Files\Common Files\Roxio Shared\DLLShared\;F:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=6b02
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"RoxioCentral"=F:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\

-----------------EOF-----------------
HalibutStance
Active Member
 
Posts: 9
Joined: March 7th, 2009, 7:48 pm
Location: (Fabulous) Las Vegas

Re: StealthMBR!mbr

Unread postby Carolyn » March 20th, 2009, 2:57 pm

Hi,

I am not seeing any signs of malware in your logs, but I still would like to get an online scan just to be certain that nothing has been missed.


Download CCleaner from here and save it to your desktop.

Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies
      • Clean all the entries in the Windows Explorer section
      • Clean all entries in the System section
      • Clean all entries in the Advanced section
      • Clean any others that you choose
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it
      • Clean all in the Opera section if you use it
      • Clean Sun Java in the Internet Section
      • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO
CCleaner should be run with the above settings for each User Account!


Please disable your real-time antivirus protection before running the online scan.

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log and a description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: StealthMBR!mbr

Unread postby HalibutStance » March 21st, 2009, 7:01 pm

Remove one obstacle and it seems like another one pops right up. Ran CCCleaner for all user accounts; no problem. Went into Security under Internet Options in Control Panel and disabled anything that might block any sort of ActiveX app. Clicked "pause protection" on Kaspersky Security Suite and set it to restart upon reboot. Tried to run the Kaspersky scan, but this time it wouldn't go because it said I didn't have Java post-1.5 installed. I uninstalled the Java whatever.12 that was installed on this thing, then went to Java and did a fresh reinstall. Went back to Kaspersky, got thru the initialization and got at least a half-hour into the multiple updates when the computer rebooted itself. When it all came back up it told me that it had "recovered from a serious error" that was caused by an "anti-virus program", and everything seemed to be as normal with the computer since that hard drive went missing. I paused the Security Suite again, went thru the motions on the scan again, but this time it only got to the end of the initial 3k kb update before it rebooted. It told me again that it had "recovered from a serious error" and that's where I sit right now. The computer seems to be acting normally at this time. Here's the current HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:31 PM, on 3/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Google\Update\GoogleUpdate.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\ASUS\AI Nap\AiNap.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\WINDOWS\RTHDCPL.EXE
F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
F:\Program Files\Roxio\CinePlayer\DMXLauncher.exe
F:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
F:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\WINDOWS\system32\IoctlSvc.exe
F:\Program Files\Windows Desktop Search\WindowsSearch.exe
F:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
F:\WINDOWS\System32\snmp.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\SearchIndexer.exe
F:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
F:\WINDOWS\system32\fxssvc.exe
F:\Program Files\AMD\RAIDXpert\_jvm\bin\java.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
F:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - F:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "F:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] F:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MediaFace Integration] F:\Program Files\Fellowes\MediaFACE 4.2\SetHook.exe
O4 - HKLM\..\Run: [Ai Nap] "F:\Program Files\ASUS\AI Nap\AiNap.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Ad-Watch] F:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RoxWatchTray] "F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [DMXLauncher] "F:\Program Files\Roxio\CinePlayer\DMXLauncher.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "F:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AVP] "F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "F:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] F:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [LightScribe Control Panel] F:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = F:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: OneNote Table Of Contents.onetoc2
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = F:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Windows Search.lnk = F:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Banner Ad Blocker - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1224128433955
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1224135004234
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD7/JSCDL/jdk/6u12-b04/jinstall-6u12-windows-i586-jc.cab?e=1237665735871&h=b82ba29597e35a81ff032704afb6b347/&filename=jinstall-6u12-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,F:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,F:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,F:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: AMD RAIDXpert (AMDRAIDXpert) - Unknown owner - F:\Program Files\AMD\RAIDXpert\jetty\extra\win32\Wrapper.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - F:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Google Update Service (gupdate1c98cb92d37006c) (gupdate1c98cb92d37006c) - Google Inc. - F:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - F:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - F:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - F:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - F:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - F:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - F:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - F:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - F:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 10315 bytes
HalibutStance
Active Member
 
Posts: 9
Joined: March 7th, 2009, 7:48 pm
Location: (Fabulous) Las Vegas

Re: StealthMBR!mbr

Unread postby Carolyn » March 22nd, 2009, 5:06 pm

Hello,

Frustrating I know... You have been very patient and sounds like you are doing all of the right things here.

Let's try a different online scan... Don't wrestle with it if it does not want to work. With or without the scan results, my next recommendation will be for you to visit a General Troubleshooting Forum where they can help you determine what happened to that drive and if there are other hardware issues afoot here.

  1. Click here to perform a Panda online scan. Please use Internet Explorer as it requires ActiveX.
  2. Click on Scan your PC now.
  3. A new window will open.
  4. Select your country and type in your email address. You may also optionally choose to receive emails from Panda. If you don't wish to, please select I do not want to receive marketing information from Panda Software and/or its International Representatives where applicable. option.
  5. Click on Free online scan.
  6. You will be prompted to install an ActiveX. Please allow it.
  7. Once installed, it will start downloading the virus definitions. Please be patient. This takes a while.
  8. Once the files are downloaded, it will ask you to select what to scan. Select My Computer.
  9. The scan will start. It takes a while, please be patient.
  10. Once done, click on View Report.
  11. You will be brought to another page. Click on Save Report. Save it to your desktop. Please post this report in your next reply.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: StealthMBR!mbr

Unread postby HalibutStance » March 25th, 2009, 9:54 am

Good morning, Carolyn ... or whatever time it is Down East -

Sorry for the delay. I've been researching how best to recover the data from the crashed hard drive, and I think I'm very close to a solution. I imagine that once I migrate files from the dead drive to my spare, which will possibly be tonight, I will want to run another, but more on that later. In the meantime, here is the Panda scan from the other day; it looks like, thanks to your kind assistance, this whole mess is very close to being wrapped up:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-22 19:52:22
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Kaspersky Internet Security 8.0.0.506 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00148914 Cookie/Tucows TrackingCookie No 0 Yes No F:\Documents and Settings\Study\Cookies\study@tucows[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No F:\Documents and Settings\Study\Cookies\study@com[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No F:\Documents and Settings\Study\Cookies\study@com[3].txt
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No F:\Documents and Settings\Study\Cookies\study@club.cdfreaks[3].txt
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No F:\Documents and Settings\Study\Cookies\study@cdfreaks[1].txt
00170549 Cookie/FortuneCity TrackingCookie No 0 Yes No F:\Documents and Settings\Study\Cookies\study@fortunecity[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Study\Cookies\study@go[1].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No F:\Documents and Settings\Study\Cookies\study@target[2].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================
HalibutStance
Active Member
 
Posts: 9
Joined: March 7th, 2009, 7:48 pm
Location: (Fabulous) Las Vegas

Re: StealthMBR!mbr

Unread postby Carolyn » March 26th, 2009, 1:05 pm

This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • Please delete RSIT.exe from your computer
  • Please delete DDS.exe from your computer
  • Go to Start --> Run and copy/paste C:\WINDOWS\gmer_uninstall.cmd into the run window, click Okay. When that process completes, please reboot your computer.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

    Protection Programs
    Don't forget to re-enable any protection programs we disabled during your fix.

    General Security and Computer Health
    Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

    • Clear Infected System Restore Points
      • Turn System Restore off
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Check Turn off System Restore.
      • Click Apply, and then click OK.
        Restart your computer

      • Turn System Restore on
      • On the Desktop, right click on the My Computer icon.
      • Click Properties.
      • Click the System Restore tab.
      • Uncheck *Turn off System Restore*.
      • Click Apply, and then click OK.
      Note: only do this once,and not on a regular basis


    • Set correct settings for files
      • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
      • Under Hidden files and folders if necessary select Do not show hidden files and folders.
      • If unchecked please check Hide protected operating system files (Recommended)
      • If necessary check Display content of system folders
      • If necessary Uncheck Hide file extensions for known file types.
      • Click OK


    • Make sure that you keep your antivirus updated
      New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

    • Continue to use a firewall with outbound protection
      The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
      Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

    • Security Updates for Windows, Internet Explorer & Microsoft Office
      Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
      Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

    • Update Non-Microsoft Programs
      Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

    • Make Internet Explorer More Secure
      You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


    Recommended Programs

    I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

    • WinPatrol
      As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

    • SpywareBlaster
      SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

    • Malwarebytes' Anti-Malware or SuperAntiSpyware
      These are anti-malware applications that can thoroughly remove even the most advanced malware. They include a number of features, including a built in protection monitor that blocks malicious processes before they even start.
      You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.
      You can download SuperAntiSpyware from HERE.

    • Hosts File
      For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

      Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
      If this isn't done first, the next reboot may take a VERY LONG TIME.
      This is how to do it. First be sure you are signed in as a user with administrative privileges:
      Stop and Disable the DNS Client Service
      Go to Start, Run and type Services.msc and click OK.
      Under the Extended Tab, Scroll down and find this service.
      DNS Client
      Right-Click on the DNS Client Service. Choose Properties
      Select the General tab. Click on the Stop button.
      Click the Arrow-down tab on the right-hand side at the Start-up Type box.
      From the drop-down menu, click on Manual
      Click the Apply tab, then click OK


    • Use an alternative Internet Browser
      Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
      Firefox
      Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware