BleepingComputer.com: Programs are missing from Start Menu

Is there a way to restore all programs? None of my programs are in Start Menu >>> All Programs.

Thanks.

This post has been edited by hamluis: 08 January 2012 - 06:19 AM
Reason for edit: Moved from XP to Am I Infected.

Welcome aboard

What happened?
Was your computer infected?

Let's see, if we can recover your missing features.
Download and run UnHide
Let me know, if it worked.

Hi Broni! Thanks for your help.

Apparently my computer is infected. I was not sure of this until I got a warning when trying to download Unhide. I scanned with Malwarbytes earlier and it found infections. I removed the files and run Unhide. The All Programs menu is back but they are all empty. Microsoft essentials found infections too. Some of them were allowed. Also, I get an Auto Run Disable screen when the system reboots.

These are the ones that Microsoft Essentials allowed.
Trojan:win32/fakesysdef

file:C:\Documents and Settings\Guest\Local Settings\Temp\P5tM1QBI6DSS92.exe.tmp->(UPX)


Trojan:win32/Alureon.FE
Items:
file:C:\Documents and Settings\Guest\Local Settings\Temp\62.tmp
file:C:\Documents and Settings\Guest\Local Settings\Temp\67.tmp
file:C:\Documents and Settings\Guest\Local Settings\Temp\6A.tmp
file:C:\Documents and Settings\Guest\Local Settings\Temp\6B.tmp


Here is the Malwarebytes log. Should I start a new topic in the I'm infected Forum?
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.07.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Cher :: MESHON [administrator]

1/7/2012 12:30:47 PM
mbam-log-2012-01-07 (12-30-47).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 299769
Time elapsed: 1 hour(s), 30 minute(s), 24 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\WinServers (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|tsydscwm (Rogue.AntivirusSuite.Gen) -> Data: C:\Documents and Settings\Cher\Local Settings\Application Data\gythyfddj\nhsaevttssd.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|btfutoax (Rogue.AntivirusSuite.Gen) -> Data: C:\Documents and Settings\Cher\Local Settings\Application Data\cknskotyx\ubusubitssd.exe -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|bhdaldit (Rogue.AntivirusSuite.Gen) -> Data: C:\Documents and Settings\Cher\Local Settings\Application Data\fsainbfom\uxtimprtssd.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 8
c:\documents and settings\guest\application data\sun\java\deployment\cache\6.0\60\77cf8ebc-668003da (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\62.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\67.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\6A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\6B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\guest\local settings\temp\chipset_driver_update.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guest\Local Settings\Temp\P5tM1QBI6DSS92.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.

(end)

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download Farbar Service Scanner and run it on the computer with the issue.

• Make sure the following options are checked:
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
    
  • Security Center
    
  • Windows Update
  
  
• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.

====================================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• Report FF Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List Winsock Entries
  
• List last 10 Event Viewer log
  
• List Installed Programs
  
• List Users, Partitions and Memory size

Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

Good Afternnon Broni,

Here are the files.

Security Check
Results of screen317's Security Check version 0.99.24
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee Total Protection
McAfee Virtual Technician
McAfee Online Backup
Microsoft Security Essentials
```````````````````````````````
Anti-malware/Other Utilities Check:
Spybot - Search & Destroy
Java™ 6 Update 16
Out of date Java installed!
Adobe Flash Player ( 10.0.32.18) Flash Player Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MSMpEng.exe
Malwarebytes' Anti-Malware mbam.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
McAfee Online Backup MOBKbackup.exe
``````````End of Log````````````

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

FSS

Farbar Service Scanner
Ran by Cher (administrator) on 08-01-2012 at 01:36:41
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

Windows Update:
===========

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(6) IPSec(4) mfetdi2k(9) NetBT(5) PSched(7) Tcpip(3)
0x09000000040000000100000002000000030000000900000005000000060000000700000008000000
IpSec Tag value is correct.

**** End of log ****

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Mini tool

MiniToolBox by Farbar
Ran by Cher (administrator) on 08-01-2012 at 01:38:31
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.
========================= Hosts content: =================================


127.0.0.1 localhost
127.0.0.1 ie3.proxy.aol.com

========================= IP Configuration: ================================

Cisco Systems SSL VPN Adapter = Local Area Connection 7 (Disconnected)
Broadcom 440x 10/100 Integrated Controller = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=dhcp
set dns name="Local Area Connection" source=dhcp register=PRIMARY
set wins name="Local Area Connection" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : meshon

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller

Physical Address. . . . . . . . . : 00-0B-DB-0D-D9-C6

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 192.168.1.97

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.254

DHCP Server . . . . . . . . . . . : 192.168.1.254

DNS Servers . . . . . . . . . . . : 192.168.1.254

Lease Obtained. . . . . . . . . . : Sunday, January 08, 2012 1:35:37 AM

Lease Expires . . . . . . . . . . : Sunday, January 08, 2012 2:35:37 AM

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.159.103, 74.125.159.104, 74.125.159.105, 74.125.159.106
74.125.159.147, 74.125.159.99



Pinging google.com [74.125.159.99] with 32 bytes of data:



Reply from 74.125.159.99: bytes=32 time=19ms TTL=51

Reply from 74.125.159.99: bytes=32 time=21ms TTL=51



Ping statistics for 74.125.159.99:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 19ms, Maximum = 21ms, Average = 20ms

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.254

Name: yahoo.com
Addresses: 209.191.122.70, 72.30.2.43, 98.137.149.56, 98.139.180.149



Pinging yahoo.com [98.137.149.56] with 32 bytes of data:



Reply from 98.137.149.56: bytes=32 time=84ms TTL=49

Reply from 98.137.149.56: bytes=32 time=123ms TTL=49



Ping statistics for 98.137.149.56:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 84ms, Maximum = 123ms, Average = 103ms

DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.1.254

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0b db 0d d9 c6 ...... Broadcom 440x 10/100 Integrated Controller - McAfee Core NDIS Intermediate Filter Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.97 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.97 192.168.1.97 20
192.168.1.97 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.97 192.168.1.97 20
224.0.0.0 240.0.0.0 192.168.1.97 192.168.1.97 20
255.255.255.255 255.255.255.255 192.168.1.97 192.168.1.97 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 12 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 13 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 14 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 15 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 16 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 17 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 18 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 19 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (01/08/2012 01:21:27 AM) (Source: STCAgent) (User: )
Description: Termination reason code 10 [FAST_USER_SWITCH]

Error: (01/08/2012 00:50:05 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/08/2012 00:50:05 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/08/2012 00:11:39 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/08/2012 00:07:19 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 8.0.6001.18702, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (01/07/2012 07:59:24 PM) (Source: STCAgent) (User: )
Description: Termination reason code 10 [FAST_USER_SWITCH]

Error: (01/07/2012 07:16:05 PM) (Source: STCAgent) (User: )
Description: Termination reason code 10 [FAST_USER_SWITCH]

Error: (01/07/2012 00:10:52 PM) (Source: STCAgent) (User: )
Description: Termination reason code 10 [FAST_USER_SWITCH]

Error: (01/07/2012 10:10:57 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MCAFEE\MCAFEE TOTAL PROTECTION.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)

Error: (01/07/2012 10:10:57 AM) (Source: Windows Search Service) (User: )
Description: The entry <C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MCAFEE\MCAFEE TOTAL PROTECTION.LNK> in the hash map cannot be updated.

Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)


System errors:
=============
Error: (01/08/2012 00:03:42 AM) (Source: Dhcp) (User: )
Description: Your computer has lost the lease to its IP address 192.168.1.97 on the
Network Card with network address 000BDB0DD9C6.

Error: (01/07/2012 08:01:50 PM) (Source: DCOM) (User: SYSTEM)
Description: The server {209500FC-6B45-4693-8871-6296C4843751} did not register with DCOM within the required timeout.

Error: (01/07/2012 07:58:16 PM) (Source: Service Control Manager) (User: )
Description: The Security Services Driver (x86) service failed to start due to the following error:
%%2

Error: (01/07/2012 06:37:31 PM) (Source: Service Control Manager) (User: )
Description: The Security Services Driver (x86) service failed to start due to the following error:
%%2

Error: (01/07/2012 10:14:02 AM) (Source: DCOM) (User: SYSTEM)
Description: The server {209500FC-6B45-4693-8871-6296C4843751} did not register with DCOM within the required timeout.

Error: (01/07/2012 10:07:01 AM) (Source: Service Control Manager) (User: )
Description: The Security Services Driver (x86) service failed to start due to the following error:
%%2

Error: (12/27/2011 06:06:11 PM) (Source: Service Control Manager) (User: )
Description: The Security Services Driver (x86) service failed to start due to the following error:
%%2

Error: (12/27/2011 06:03:01 PM) (Source: Service Control Manager) (User: )
Description: The Security Services Driver (x86) service failed to start due to the following error:
%%2

Error: (12/27/2011 06:01:36 PM) (Source: Windows Update Agent) (User: )
Description: Unable to Connect: Windows is unable to connect to the automatic updates service and therefore cannot download and install updates according to the set schedule. Windows will continue to try to establish a connection.

Error: (12/13/2011 09:06:18 PM) (Source: Microsoft Antimalware) (User: )
Description: %NT AUTHORITY60 has encountered an error trying to update signatures.

New Signature Version:

Previous Signature Version: 1.117.233.0

Update Source: %NT AUTHORITY51

Update Stage: 3.0.8402.00

Source Path: 3.0.8402.01

Signature Type: %NT AUTHORITY602

Update Type: %NT AUTHORITY604

User: NT AUTHORITY\NETWORK SERVICE

Current Engine Version: %NT AUTHORITY605

Previous Engine Version: %NT AUTHORITY606

Error code: %NT AUTHORITY607

Error description: %NT AUTHORITY608


Microsoft Office Sessions:
=========================
Error: (01/08/2012 01:21:27 AM) (Source: STCAgent)(User: )
Description: 10FAST_USER_SWITCH

Error: (01/08/2012 00:50:05 AM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (01/08/2012 00:50:05 AM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (01/08/2012 00:11:39 AM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (01/08/2012 00:07:19 AM) (Source: Application Hang)(User: )
Description: iexplore.exe8.0.6001.18702hungapp0.0.0.000000000

Error: (01/07/2012 07:59:24 PM) (Source: STCAgent)(User: )
Description: 10FAST_USER_SWITCH

Error: (01/07/2012 07:16:05 PM) (Source: STCAgent)(User: )
Description: 10FAST_USER_SWITCH

Error: (01/07/2012 00:10:52 PM) (Source: STCAgent)(User: )
Description: 10FAST_USER_SWITCH

Error: (01/07/2012 10:10:57 AM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MCAFEE\MCAFEE TOTAL PROTECTION.LNK

Error: (01/07/2012 10:10:57 AM) (Source: Windows Search Service)(User: )
Description: Context: Application, SystemIndex Catalog

Details:
A device attached to the system is not functioning. (0x8007001f)
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\MCAFEE\MCAFEE TOTAL PROTECTION.LNK


=========================== Installed Programs ============================

32 Bit HP CIO Components Installer (Version: 6.1.1)
Adobe Flash Player 10 ActiveX (Version: 10.0.32.18)
Adobe Flash Player 10 Plugin (Version: 10.0.32.18)
Adobe Reader 7.0 (Version: 7.0.0)
Ahead Nero Burning ROM
BACS (Version: 3.26.0000)
BCM V.92 56K Modem
BellSouth Toolbar 1.0
BellSouth® FastAccess® DSL Help Center 4.0 (Version: 4.0.29)
Britannica Ready Reference
Broadcom Advanced Control Suite (Version: 3.26.0000)
BufferChm (Version: 130.0.331.000)
CCScore (Version: 7.00.0000.0001)
Cisco SSL VPN Client (Version: 1.1.3.173)
Compatibility Pack for the 2007 Office system (Version: 12.0.6514.5001)
Copy (Version: 130.0.366.000)
DAO (Version: 3.50)
Dell Picture Studio - Dell Image Expert (Version: 3.4.1)
Dell Solution Center (Version: 1.00.0000)
DellSupport (Version: 6.0.3062)
Destinations (Version: 140.0.77.000)
DeviceDiscovery (Version: 130.0.372.000)
DJ_AIO_05_F4400_Software_Min (Version: 130.0.448.000)
Easy CD Creator 5 Basic (Version: 5.2.0.61)
EPSON EPIC
EPSON Printer Software
ESSBrwr (Version: 7.00.0000.0003)
ESSCDBK (Version: 7.00.0000.0002)
ESScore (Version: 7.00.0000.0008)
ESSgui (Version: 7.00.0000.0002)
ESSini (Version: 7.00.0000.0003)
ESSPCD (Version: 7.00.0000.0002)
ESSPDock (Version: 6.03.0001.0004)
ESSSONIC (Version: 6.4.0000.0001)
ESSTOOLS (Version: 5.00.0000.0004)
essvatgt (Version: 7.00.0000.0002)
F4400 (Version: 130.0.448.000)
fflink (Version: 6.02.1001.0001)
GPBaseService2 (Version: 130.0.371.000)
Help and Support Customization (Version: 1.00.0000)
HP Customer Participation Program 13.0 (Version: 13.0)
HP Deskjet F4400 Printer Driver Software 13.0 Rel .5 (Version: 13.0)
HP Imaging Device Functions 13.0 (Version: 13.0)
HP Print Projects 1.0 (Version: 1.0)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 13.0 (Version: 13.0)
HP Update (Version: 5.002.005.003)
hpPrintProjects (Version: 130.0.303.000)
HPProductAssistant (Version: 130.0.371.000)
HPSSupply (Version: 130.0.371.000)
hpWLPGInstaller (Version: 130.0.303.000)
Intel® Extreme Graphics Driver
Java™ 6 Update 16 (Version: 6.0.160)
Jewel Match 2
kgcbaby (Version: 5.03.0000.0002)
kgcbase (Version: 5.03.0000.0004)
kgchday (Version: 5.03.0000.0002)
kgchlwn (Version: 5.03.0000.0002)
kgcinvt (Version: 5.03.0000.0003)
kgckids (Version: 6.03.0001.0001)
kgcmove (Version: 6.03.0001.0001)
kgcvday (Version: 5.03.0000.0002)
Kodak EasyShare software
Learn2 Player (Uninstall Only)
Malwarebytes Anti-Malware version 1.60.0.1800 (Version: 1.60.0.1800)
MarketResearch (Version: 130.0.374.000)
Mavis Beacon Teaches Typing 12 Standard
McAfee Online Backup
McAfee Online Backup (Version: 1.16.4.0)
McAfee Total Protection (Version: 10.5.221)
McAfee Virtual Technician (Version: 5.5.1.0)
Microsoft .NET Framework (English) (Version: 1.0.3705)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1 (Version: 1.1.4322)
Microsoft .NET Framework 1.1 Security Update (KB2572067)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Antimalware (Version: 3.0.8402.2)
Microsoft Application Error Reporting (Version: 12.0.6012.5000)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP (Version: 1)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Live Add-in 1.4 (Version: 2.0.3008.0)
Microsoft Office Professional Edition 2003 (Version: 11.0.8173.0)
Microsoft Security Client (Version: 2.1.1116.0)
Microsoft Security Essentials (Version: 2.1.1116.0)
Microsoft Silverlight (Version: 4.0.60831.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Helper
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB954459) (Version: 6.20.1099.0)
MUSICMATCH Jukebox
netbrdg (Version: 7.00.0000.0003)
OfotoXMI (Version: 7.00.0000.0002)
PhotoPrinter 2.0 LE
Quicken 2002 New User Edition
QuickTime (Version: 7.4.1.14)
RealPlayer Basic
Scan (Version: 140.0.80.000)
Search Basket
SFR (Version: 7.00.0000.0004)
SHASTA (Version: 6.04.0000.0001)
Shop for HP Supplies (Version: 13.0)
skin0001 (Version: 7.00.0000.0002)
SKINXSDK (Version: 7.00.0000.0001)
SmartWebPrinting (Version: 140.0.186.000)
SolutionCenter (Version: 130.0.373.000)
Spybot - Search & Destroy (Version: 1.6.2)
staticcr (Version: 7.00.0000.0002)
Status (Version: 130.0.373.000)
Toolbox (Version: 130.0.648.000)
tooltips (Version: 7.00.0000.0002)
TrayApp (Version: 130.0.376.000)
Vimicro USB2.0 UVC PC Camera (Version: 2009.03.18)
VPRINTOL (Version: 7.00.0000.0001)
WebEx
WebFldrs XP (Version: 9.50.6513)
WebReg (Version: 130.0.132.017)
Windows Imaging Component (Version: 3.0.0.0)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Live ID Sign-in Assistant (Version: 6.500.3146.0)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0 (Version: 04.00.6001.503)
Windows XP Service Pack 3 (Version: 20080414.031525)
WIRELESS (Version: 7.00.0000.0002)
WordPerfect Office 2002
WordPerfect Office 2002 (Version: 10)
Yahoo! Messenger
Yahoo! Messenger Explorer Bar

========================= Memory info: ===================================

Percentage of memory in use: 53%
Total physical RAM: 1022.48 MB
Available physical RAM: 480.52 MB
Total Pagefile: 2462.19 MB
Available Pagefile: 1477.87 MB
Total Virtual: 2047.88 MB
Available Virtual: 1971.2 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:149.02 GB) (Free:121.02 GB) NTFS
5 Drive f: (U3 System) (CDROM) (Total:0.01 GB) (Free:0 GB) CDFS
6 Drive g: () (Removable) (Total:0.95 GB) (Free:0.32 GB) FAT

========================= Users: ========================================

User accounts for \\MESHON

Administrator ASPNET Cher
Guest HelpAssistant SUPPORT_388945a0
SUPPORT_3f151ab9


**** End of log ****

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

MBAB
Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.07.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Cher :: MESHON [administrator]

1/8/2012 1:42:38 AM
mbam-log-2012-01-08 (01-42-38).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 300256
Time elapsed: 1 hour(s), 5 minute(s), 4 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-08 11:55:59
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600AAJB-00J3A0 rev.01.03E01
Running: g8zhguum_it.exe; Driver: C:\DOCUME~1\Cher\LOCALS~1\Temp\uxtdypow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF75300E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF75300F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF7530120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF7530176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF75300CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF75300A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF75300B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF753010A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF753014C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF7530136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF75301A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF753018C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF7530160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[156] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 62419A20 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe[156] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 62419AE2 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\System32\svchost.exe[356] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00690000
.text C:\WINDOWS\System32\svchost.exe[356] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0069001B
.text C:\WINDOWS\System32\svchost.exe[356] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00690FE5
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E0000
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0FA3
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0FBE
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0098
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0087
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0058
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0F6D
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E00BF
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E0F48
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E00EB
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E00FC
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E0FDB
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E0011
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F92
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0047
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E002C
.text C:\WINDOWS\System32\svchost.exe[356] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E00D0
.text C:\WINDOWS\System32\svchost.exe[356] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C002C
.text C:\WINDOWS\System32\svchost.exe[356] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0058
.text C:\WINDOWS\System32\svchost.exe[356] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C001B
.text C:\WINDOWS\System32\svchost.exe[356] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0FE5
.text C:\WINDOWS\System32\svchost.exe[356] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0047
.text C:\WINDOWS\System32\svchost.exe[356] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0000
.text C:\WINDOWS\System32\svchost.exe[356] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006C0FA5
.text C:\WINDOWS\System32\svchost.exe[356] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 88]
.text C:\WINDOWS\System32\svchost.exe[356] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0FC0
.text C:\WINDOWS\System32\svchost.exe[356] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0042
.text C:\WINDOWS\System32\svchost.exe[356] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0FB7
.text C:\WINDOWS\System32\svchost.exe[356] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B0FD2
.text C:\WINDOWS\System32\svchost.exe[356] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0FEF
.text C:\WINDOWS\System32\svchost.exe[356] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0027
.text C:\WINDOWS\System32\svchost.exe[356] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B000C
.text C:\WINDOWS\System32\svchost.exe[356] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\System32\svchost.exe[372] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00690FEF
.text C:\WINDOWS\System32\svchost.exe[372] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0069002F
.text C:\WINDOWS\System32\svchost.exe[372] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0069000A
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 006E000A
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 006E0098
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 006E0087
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 006E0076
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 006E0FB9
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 006E0FD4
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 006E0F63
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 006E00B5
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 006E00E4
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006E0F41
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006E00F5
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 006E005B
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 006E001B
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 006E0F88
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 006E0040
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 006E0FE5
.text C:\WINDOWS\System32\svchost.exe[372] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006E0F52
.text C:\WINDOWS\System32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006C0028
.text C:\WINDOWS\System32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006C0F97
.text C:\WINDOWS\System32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006C0FCD
.text C:\WINDOWS\System32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\System32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006C0FB2
.text C:\WINDOWS\System32\svchost.exe[372] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 006C004A
.text C:\WINDOWS\System32\svchost.exe[372] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006C0039
.text C:\WINDOWS\System32\svchost.exe[372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 006B0053
.text C:\WINDOWS\System32\svchost.exe[372] msvcrt.dll!system 77C293C7 5 Bytes JMP 006B0038
.text C:\WINDOWS\System32\svchost.exe[372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 006B001D
.text C:\WINDOWS\System32\svchost.exe[372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 006B0000
.text C:\WINDOWS\System32\svchost.exe[372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 006B0FC8
.text C:\WINDOWS\System32\svchost.exe[372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 006B0FE3
.text C:\WINDOWS\System32\svchost.exe[372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\System32\svchost.exe[416] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00BB0FEF
.text C:\WINDOWS\System32\svchost.exe[416] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00BB0014
.text C:\WINDOWS\System32\svchost.exe[416] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BB0FDE
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0000
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0F7E
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0069
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0058
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F9B
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE002C
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F3C
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0084
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00D5
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00B0
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE00E6
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE003D
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FE5
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F63
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FC0
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0011
.text C:\WINDOWS\System32\svchost.exe[416] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE009F
.text C:\WINDOWS\System32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD000A
.text C:\WINDOWS\System32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0F79
.text C:\WINDOWS\System32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\System32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\System32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0036
.text C:\WINDOWS\System32\svchost.exe[416] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\System32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BD0025
.text C:\WINDOWS\System32\svchost.exe[416] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FA8
.text C:\WINDOWS\System32\svchost.exe[416] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0FB2
.text C:\WINDOWS\System32\svchost.exe[416] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC003D
.text C:\WINDOWS\System32\svchost.exe[416] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC001B
.text C:\WINDOWS\System32\svchost.exe[416] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\System32\svchost.exe[416] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC002C
.text C:\WINDOWS\System32\svchost.exe[416] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\SearchIndexer.exe[688] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\services.exe[1060] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\services.exe[1060] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E20014
.text C:\WINDOWS\system32\services.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E20FDE
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EA0F2B
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EA0F3C
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EA0F4D
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EA0F83
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EA0F10
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EA004C
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA0073
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA0EDA
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EA008E
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EA0F68
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EA0FCA
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EA003B
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EA0FA8
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\services.exe[1060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EA0EF5
.text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E9001B
.text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90F91
.text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E9000A
.text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E9004E
.text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E90FEF
.text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E9003D
.text C:\WINDOWS\system32\services.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E4005A
.text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E40049
.text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40027
.text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40FE3
.text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40038
.text C:\WINDOWS\system32\services.exe[1060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\services.exe[1060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FE5
.text C:\WINDOWS\system32\lsass.exe[1072] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00E60FE5
.text C:\WINDOWS\system32\lsass.exe[1072] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00E60FC0
.text C:\WINDOWS\system32\lsass.exe[1072] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EA0F4E
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EA0F5F
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EA0F70
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EA0039
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EA0FA8
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EA008A
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EA006F
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EA00B6
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EA0F1D
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EA0F0C
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EA0F8D
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EA0FDE
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EA005E
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EA0FB9
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EA000A
.text C:\WINDOWS\system32\lsass.exe[1072] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EA009B
.text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E9002C
.text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E90073
.text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E90FDB
.text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E90011
.text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E90FAC
.text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E9004E
.text C:\WINDOWS\system32\lsass.exe[1072] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E9003D
.text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E80053
.text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E80FD2
.text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E80038
.text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E80000
.text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E80FE3
.text C:\WINDOWS\system32\lsass.exe[1072] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E80011
.text C:\WINDOWS\system32\lsass.exe[1072] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00F4000A
.text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00F40036
.text C:\WINDOWS\system32\svchost.exe[1216] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00F4001B
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F80000
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F800B8
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F80093
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F80FB9
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F80FD4
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F8005B
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F800E4
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F800D3
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F80F70
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F80109
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F80F55
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F80076
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F80FEF
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F80FA8
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F80040
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F80025
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F80F8B
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F7001E
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F7005B
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F70FCD
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F70FDE
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F70F9E
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F70FEF
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00F70040
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F7002F
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F60F7F
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F60F90
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F60FC6
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F60FEF
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F60FB5
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F60000
.text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F50FEF
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00C00FE5
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00C0000A
.text C:\WINDOWS\system32\svchost.exe[1292] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C00FD4
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40000
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C4009F
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40FB4
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C4008E
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C4007D
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40051
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C400E8
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C400D7
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40F6A
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40103
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40F59
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40062
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C400BA
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C40040
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C40FEF
.text C:\WINDOWS\system32\svchost.exe[1292] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C40F7B
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30047
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30098
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C30025
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30087
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C3000A
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E3, 88] {JECXZ 0xffffffffffffff8a}
.text C:\WINDOWS\system32\svchost.exe[1292] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C3006C
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C20F9E
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C20FB9
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FDE
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20000
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20029
.text C:\WINDOWS\system32\svchost.exe[1292] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C20FEF
.text C:\WINDOWS\system32\svchost.exe[1292] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10FE5
.text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 05890FEF
.text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 05890FCA
.text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 05890000
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 05A00FEF
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 05A00F8D
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 05A00082
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 05A00F9E
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 05A00FAF
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 05A00047
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 05A000BF
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 05A000AE
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 05A00F4B
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 05A00F5C
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 05A000FF
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 05A00FC0
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 05A0000A
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 05A0009D
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 05A0002C
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 05A0001B
.text C:\WINDOWS\System32\svchost.exe[1368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 05A000DA
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 059F0FB9
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 059F0F68
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 059F000A
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 059F0FCA
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 059F0F83
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 059F0FE5
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 059F002F
.text C:\WINDOWS\System32\svchost.exe[1368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 059F0FA8
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 059E0053
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!system 77C293C7 5 Bytes JMP 059E0038
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 059E0FE3
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 059E000C
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 059E0FD2
.text C:\WINDOWS\System32\svchost.exe[1368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 059E001D
.text C:\WINDOWS\System32\svchost.exe[1368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 059D0FEF
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 059C0FE5
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 059C0000
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 059C0FCA
.text C:\WINDOWS\System32\svchost.exe[1368] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 059C001B
.text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00630000
.text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00630025
.text C:\WINDOWS\system32\svchost.exe[1492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00630FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00660FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00660F81
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0066006C
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00660F92
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00660FAF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00660036
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 0066009B
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00660F53
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00660F38
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 006600D1
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 006600EC
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00660047
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00660000
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00660F70
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0066001B
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00660FD4
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 006600B6
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00650051
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006500BD
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00650036
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0065001B
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00650098
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00650000
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00650087
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00650062
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00640042
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00640031
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00640FC1
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00640FE3
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00640016
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00640FD2
.text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006C000A
.text C:\WINDOWS\System32\svchost.exe[1608] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006C0FD4
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00790000
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007900A4
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00790089
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryExW 7C801AF5 3 Bytes JMP 00790FAF
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryExW + 4 7C801AF9 1 Byte [83]
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00790FCA
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0079005B
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007900C6
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00790F8A
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00790F37
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00790F52
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007900EB
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0079006C
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00790025
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007900B5
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00790040
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00790FEF
.text C:\WINDOWS\System32\svchost.exe[1608] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00790F63
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00780036
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00780062
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00780025
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00780FE5
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00780FA5
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00780000
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00780FC0
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [98, 88]
.text C:\WINDOWS\System32\svchost.exe[1608] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00780047
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00770064
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!system 77C293C7 5 Bytes JMP 00770053
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00770027
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0077000C
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00770038
.text C:\WINDOWS\System32\svchost.exe[1608] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00770FE3
.text C:\WINDOWS\System32\svchost.exe[1608] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FEF
.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006C001E
.text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006C0FDE
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009E0000
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009E005A
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009E0049
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009E0038
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009E0F6F
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009E0FAF
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009E0F54
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009E009C
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009E0F0D
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009E0F28
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009E0EFC
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009E0F94
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009E0FE5
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009E007F
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009E001B
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009E0FCA
.text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009E0F39
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009D0FB9
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009D0F79
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009D0FCA
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009D0000
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009D0036
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009D0FE5
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009D0F94
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BD, 88]
.text C:\WINDOWS\System32\svchost.exe[1660] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009D0025
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009C0058
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!system 77C293C7 5 Bytes JMP 009C0047
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009C001B
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009C0036
.text C:\WINDOWS\System32\svchost.exe[1660] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009C0000
.text C:\WINDOWS\System32\svchost.exe[1660] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\System32\svchost.exe[1848] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00630000
.text C:\WINDOWS\System32\svchost.exe[1848] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00630FDB
.text C:\WINDOWS\System32\svchost.exe[1848] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0063001B
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F5A
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F6B
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F86
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD0F97
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FB2
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD007B
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD006A
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD00B8
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD009D
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD00C9
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0039
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0014
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F3F
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FCD
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD0FDE
.text C:\WINDOWS\System32\svchost.exe[1848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD008C
.text C:\WINDOWS\System32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BC0025
.text C:\WINDOWS\System32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BC006C
.text C:\WINDOWS\System32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BC0FD4
.text C:\WINDOWS\System32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BC0000
.text C:\WINDOWS\System32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BC0FAF
.text C:\WINDOWS\System32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BC0FEF
.text C:\WINDOWS\System32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00BC005B
.text C:\WINDOWS\System32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BC0040
.text C:\WINDOWS\System32\svchost.exe[1848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00660FB9
.text C:\WINDOWS\System32\svchost.exe[1848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00660044
.text C:\WINDOWS\System32\svchost.exe[1848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00660FE5
.text C:\WINDOWS\System32\svchost.exe[1848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00660000
.text C:\WINDOWS\System32\svchost.exe[1848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00660FCA
.text C:\WINDOWS\System32\svchost.exe[1848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00660029
.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 00640FEF
.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 0064000A
.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 00640FDE
.text C:\WINDOWS\System32\svchost.exe[1848] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 00640FCD
.text C:\WINDOWS\System32\svchost.exe[1848] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00650FEF
.text C:\WINDOWS\system32\svchost.exe[1920] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 006C0000
.text C:\WINDOWS\system32\svchost.exe[1920] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 006C0025
.text C:\WINDOWS\system32\svchost.exe[1920] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006C0FEF
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B10000
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B100A7
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B10096
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B10FB2
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B10FC3
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B1005B
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B10F6B
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B10F86
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B10F50
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B100DF
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B10F35
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B10FD4
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B10FEF
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B10F97
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B1004A
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B1002F
.text C:\WINDOWS\system32\svchost.exe[1920] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B100CE
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B00036
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B0007D
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B00FEF
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B0001B
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B00FC0
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B00000
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B0006C
.text C:\WINDOWS\system32\svchost.exe[1920] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B0005B
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AF0FB9
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AF0FCA
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AF0029
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AF003A
.text C:\WINDOWS\system32\svchost.exe[1920] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AF0FEF
.text C:\WINDOWS\Explorer.EXE[3276] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 00090FE5
.text C:\WINDOWS\Explorer.EXE[3276] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00090011
.text C:\WINDOWS\Explorer.EXE[3276] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00090000
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0093
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B0078
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F9E
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B005B
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00D5
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F83
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B0F68
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B00F7
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F43
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0040
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B000A
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B00AE
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0FD4
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0025
.text C:\WINDOWS\Explorer.EXE[3276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B00E6
.text C:\WINDOWS\Explorer.EXE[3276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002A0047
.text C:\WINDOWS\Explorer.EXE[3276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002A0FDB
.text C:\WINDOWS\Explorer.EXE[3276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002A0036
.text C:\WINDOWS\Explorer.EXE[3276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002A0025
.text C:\WINDOWS\Explorer.EXE[3276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002A0098
.text C:\WINDOWS\Explorer.EXE[3276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002A000A
.text C:\WINDOWS\Explorer.EXE[3276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002A0073
.text C:\WINDOWS\Explorer.EXE[3276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002A0062
.text C:\WINDOWS\Explorer.EXE[3276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002B004C
.text C:\WINDOWS\Explorer.EXE[3276] msvcrt.dll!system 77C293C7 5 Bytes JMP 002B0FC1
.text C:\WINDOWS\Explorer.EXE[3276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002B000C
.text C:\WINDOWS\Explorer.EXE[3276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\Explorer.EXE[3276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002B0027
.text C:\WINDOWS\Explorer.EXE[3276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002B0FD2
.text C:\WINDOWS\Explorer.EXE[3276] WININET.dll!InternetOpenA 3D95D6A8 5 Bytes JMP 002D0FE5
.text C:\WINDOWS\Explorer.EXE[3276] WININET.dll!InternetOpenW 3D95DB21 5 Bytes JMP 002D0000
.text C:\WINDOWS\Explorer.EXE[3276] WININET.dll!InternetOpenUrlA 3D95F3BC 5 Bytes JMP 002D001B
.text C:\WINDOWS\Explorer.EXE[3276] WININET.dll!InternetOpenUrlW 3D9A6DFF 5 Bytes JMP 002D0FC0
.text C:\WINDOWS\Explorer.EXE[3276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F10FEF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[304] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegQueryValueExW] [00407740] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)
IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[304] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [004077A0] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe (McAfee Process Validation Service/McAfee, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs MOBK.sys (Mozy Change Monitor Filter Driver/Mozy, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)
Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Quote

You'll have to fix it manually.
See my guide here: http://www.smartestcomputing.us.com/topic/46010-how-to-restore-start-menu-and-files-hiddendeleted-by-a-virus/
Scroll down to "Method 3 - manual".

=====================================================================

You're running two AV programs, McAfee and MSE.
One of them has to go.
If McAfee use this tool to uninstall it: http://majorgeeks.com/McAfee_Consumer_Product_Removal_Tool_d5420.html

=====================================================================

Your "hosts" file has been hijacked.

Please, go here: http://support.microsoft.com/kb/972034#FixItForMeAlways and click on "Fix it" button to reset your "hosts" file.

Open Notepad.
Paste the following text into it:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#  	102.54.94.97 	rhino.acme.com      	# source server
#   	38.25.63.10 	x.acme.com          	# x client host

127.0.0.1   	localhost

Go File>Save As and...

1. Name the file hosts. (no extension; make sure there is just a "dot" at the end <--- VERY IMPORTANT!)
2. Make sure, "Save as type:" is set to "All Files (*.*)
3. Make sure the file is saved to C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder



Re-run MiniToolbox with only this checked:
List content of Hosts
Post new log.

======================================================================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

Broni,

Some of the programs were restored and some are still empty. I was not able to manually create All Programs entries because the programs properties screen did not have a shortcut tab. My options were General, Sharing, and Customize. Also, Windows Explorer did not have Create Shortcut option when I right clicked on the programs. I get a message on blue screen during reboot that says system root not fouund...skipping Autochk...


MiniToolBox by Farbar
Ran by Cher (administrator) on 08-01-2012 at 21:43:25
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************
========================= Hosts content: =================================

127.0.0.1 localhost
127.0.0.1 localhost


**** End of log ****


--------------------------------------------------------------------------------------------------------------------

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-08 20:53:16
-----------------------------
20:53:16.343 OS Version: Windows 5.1.2600 Service Pack 3
20:53:16.343 Number of processors: 1 586 0x207
20:53:16.343 ComputerName: MESHON UserName: Cher
20:53:17.984 Initialize success
21:04:04.859 AVAST engine defs: 12010801
21:23:40.234 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:23:40.250 Disk 0 Vendor: WDC_WD1600AAJB-00J3A0 01.03E01 Size: 152627MB BusType: 3
21:23:40.250 Disk 0 MBR read successfully
21:23:40.250 Disk 0 MBR scan
21:23:40.343 Disk 0 Windows XP default MBR code
21:23:40.343 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
21:23:40.390 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152593 MB offset 64260
21:23:40.437 Disk 0 scanning sectors +312576705
21:23:40.546 Disk 0 scanning C:\WINDOWS\system32\drivers
21:24:14.156 Service scanning
21:24:15.187 Service MpKsl34bdaa4f c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{24B0EA7D-BA0F-4BCC-8C21-724E187FCE18}\MpKsl34bdaa4f.sys **LOCKED** 32
21:24:15.843 Modules scanning
21:24:23.187 Disk 0 trace - called modules:
21:24:23.734 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:24:23.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8674cab8]
21:24:23.750 3 CLASSPNP.SYS[f78a3fd7] -> nt!IofCallDriver -> \Device\00000063[0x867caf18]
21:24:23.765 5 ACPI.sys[f781a620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x867c8940]
21:24:24.359 AVAST engine scan C:\WINDOWS
21:24:57.203 AVAST engine scan C:\WINDOWS\system32
21:29:47.375 AVAST engine scan C:\WINDOWS\system32\drivers
21:30:29.593 AVAST engine scan C:\Documents and Settings\Cher
21:36:10.375 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Cher\Desktop\broni logs\MBR.dat"
21:36:10.406 The log file has been saved successfully to "C:\Documents and Settings\Cher\Desktop\broni logs\aswMBR.txt"


aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software
Run date: 2012-01-08 21:45:14
-----------------------------
21:45:14.156 OS Version: Windows 5.1.2600 Service Pack 3
21:45:14.156 Number of processors: 1 586 0x207
21:45:14.156 ComputerName: MESHON UserName: Cher
21:45:15.859 Initialize success
21:45:31.031 AVAST engine defs: 12010801
21:45:34.359 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:45:34.359 Disk 0 Vendor: WDC_WD1600AAJB-00J3A0 01.03E01 Size: 152627MB BusType: 3
21:45:34.390 Disk 0 MBR read successfully
21:45:34.390 Disk 0 MBR scan
21:45:34.453 Disk 0 Windows XP default MBR code
21:45:34.453 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
21:45:34.500 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 152593 MB offset 64260
21:45:34.500 Disk 0 scanning sectors +312576705
21:45:34.656 Disk 0 scanning C:\WINDOWS\system32\drivers
21:46:22.140 Service scanning
21:46:23.484 Service MpKsl34bdaa4f c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{24B0EA7D-BA0F-4BCC-8C21-724E187FCE18}\MpKsl34bdaa4f.sys **LOCKED** 32
21:46:24.156 Modules scanning
21:46:37.015 Disk 0 trace - called modules:
21:46:37.046 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:46:37.046 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8674cab8]
21:46:37.046 3 CLASSPNP.SYS[f78a3fd7] -> nt!IofCallDriver -> \Device\00000063[0x867caf18]
21:46:37.046 5 ACPI.sys[f781a620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x867c8940]
21:46:37.562 AVAST engine scan C:\WINDOWS
21:47:37.109 AVAST engine scan C:\WINDOWS\system32
21:54:12.531 AVAST engine scan C:\WINDOWS\system32\drivers
21:55:25.093 AVAST engine scan C:\Documents and Settings\Cher
21:58:10.734 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Cher\Desktop\broni logs\MBR.dat"
21:58:10.781 The log file has been saved successfully to "C:\Documents and Settings\Cher\Desktop\broni logs\aswMBR.txt"

Quote

I suggest you re-read my manual more carefully.

Any other current issues?

Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

=============================================================================

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
  
• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• Accept any security warnings from your browser.
  
• Check Scan archives
  
• Click Start
  
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  
• When the scan completes, click on List of found threats
  
• Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  NOTE. If Eset doesn't find any threats it'll NOT produce any log.

Good Morning Broni,

During TCF scan , got TFC Corrupt File error - c:\documents and Setting\Cher\Local Settings\Temporary Internet Files\Content.IES\GREJ2xIP\Google.com{2}.htm is corrupted and unreadable. Please run CHKDSK.


I disabled MSE Real Time Protection but ESET scanner stll detected it. I'm not sure if it had an impact on the scan.

I still dont get the desired results from the manual process. Maybe you can tell me whan I'm doing wrong. Here is what I did.
1. SUccessfully Restored default for Windows XP Pro 32-bit
2. Downloaded APPS Paths
3. Went to Start > All Programs > Kodak > Kodak Easy Share. Right clicked on Kodack Eash Share > Properties > Kodak Easy Share Properties screen does not have a Shortcut tab. Only has General, Sharing, and Customize tabs. The same is true for Microsoft Office Tools and all other programs. Also, some programs like Kodak Easy Share are not listed on the App Paths document.

WHen trying to view Kodak picture files through Kodak sortware. I get an error message for some pictures-Kodak Easyshare software cannot read the file. The file exist but my be damages.

Plus I do not get the create shortcut option through Windows Explorer. What am I doing wrong?


Here are the results ot the Eset Online scan.

C:\Documents and Settings\Cher\Desktop\programs\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application

This post has been edited by idr: 09 January 2012 - 08:42 AM

My manual will work in most cases, but sometimes due to the infection some programs will have to be reinstalled.
So I guess you didn't do anything wrong.

1. Click Start, click Run, type chkdsk /f /r, and then click OK.
2. At the command prompt, type Y to let the disk scanner run when you restart the computer.
3. Restart the computer.
4. Chkdsk will run.
Let me know if any errors were found.

Then, delete your TFC file, download fresh one and try to run it again.
If still some problems, run it from safe mode.

Hi Broni,

I was able to run Chkdsk and the TFC scan with no problems. What next?

This post has been edited by idr: 10 January 2012 - 09:39 PM

Eset online scanner...

Hi,

Here are the results ot the Eset Online scan.


C:\Documents and Settings\Cher\Desktop\programs\Setup_FreeConverter.exe Win32/Adware.Toolbar.Dealio application

Update Adobe Flash Player
Download the Latest Adobe Flash for Firefox and IE Without Any Extras: http://www.404techsupport.com/2010/04/27/download-the-latest-adobe-flash-for-firefox-and-ie-without-any-extras/

1. Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

2. Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
  
• Accept any prompts.
  
• Do NOT post JavaRa log.

====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll remove all old restore points and create fresh, clean restore point.

Turn system restore off.
Restart computer.
Turn system restore back on.

If you don't know how to do it...
Windows XP: http://support.microsoft.com/kb/310405
Vista and Windows 7: http://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

2. Make sure, Windows Updates are current.

3. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

4. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

5. Run Temporary File Cleaner (TFC) weekly.

6. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

7. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

8. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Except for MBAM and TFC, which are keepers you can simply delete all other tools we used as they don't install.

Good Morning Broni,

Thank you for your help and time.