Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CPU running at 100%; could I have a virus?


  • This topic is locked This topic is locked
24 replies to this topic

#1 tyl604

tyl604

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:08:05 AM

Posted 10 March 2009 - 03:50 PM

Running Windows XP on a T2698 Emachines with 1.43 gig of RAM and 250 gig hard drive with only 64 gig used. As long as I have the Ativa thumbdrive working so I can connect wirelessly to my wireless router for internet, the CPU always runs 100% use. When I remove the Ativa thumbdrive, CPU goes down to say 15% - but of course I cannot access the internet. From PC Magazine I installed Process Explorer (technet.microsoft.com/en-us/sysinternals/bb896653.aspx) so I could inspect a more informative Task Manager.

I have found that System takes about 65% of the CPU and of this Ativacui.exe takes 25% of the system. Process Explorer warned me to look for things running from a temp file and I found under Ativacui.exe two instances of ~DF4547.tmp running from C:\Documents and Settings\Owner\Local Settings\Temp\~DF4547.tmp.

As a novice I wonder if this (~DF4547.tmp) could indicate a hijacking which uses up my CPU. I also notice under the CPU breakdown that the total processes do not add to 65% by looking at everything under Systems; looks like something which uses a lot of the 65% is hidden.

Can anyone tell me if I correctly identified a hijacker as ~DF4547.tmp and, if so, how to get rid of it? Or can anyone help otherwise. I have run TrendMicro's free housecall several times and it finds nothing.


Thanks

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 16:43:26.70 on Tue 03/10/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.627 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\twain_32\A4S2_600\watch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\MSCAN\Msoffice\panel.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ALToolbarBho Class: {7f1a79f9-78d1-4186-9f60-ee0b63df042a} - c:\program files\estsoft\altoolbar\ALToolBand_114_25.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: ALToolBar: {38fbe93d-4ca1-4414-af6a-94920c5bd8da} - c:\program files\estsoft\altoolbar\ALToolBand_114_25.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Simple Star PhotoShow Media Manager] c:\progra~1\simple~2\photos~1\data\xtras\mssysmgr.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [DVDTray] c:\program files\hp dvd\umbrella\DVDTray.exe
mRun: [DVDBitSet] c:\program files\hp dvd\umbrella\DVDBitSet.exe /NOUI
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [PC Pitstop Optimize Reminder] c:\program files\pcpitstop\optimize2\Reminder.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\watch.lnk - c:\windows\twain_32\a4s2_600\watch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ativaw~1.lnk - c:\program files\ativa\usb awgua54\wireless utility\Ativawcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: ALToolBar &Search - c:\program files\estsoft\altoolbar\ALToolBandRes.dll/23/SEARCH.HTML
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-3-24 42376]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-3-24 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-3-24 81288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-23 201320]
R3 A4S2600;A4S2600;c:\windows\system32\drivers\A4S2600.SYS [2008-3-24 71520]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-23 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-23 40488]
R3 ODWGU(Ativa);Ativa Wireless G USB Network Adapter(Ativa);c:\windows\system32\drivers\ODWGU.sys [2008-3-24 408064]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\drivers\hpusbwdm.sys [2004-1-5 1080832]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-23 33832]

=============== Created Last 30 ================




2009-03-07 12:37 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-07 12:37 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-07 12:36 <DIR> --d----- c:\program files\iPod
2009-03-07 12:36 <DIR> --d----- c:\program files\iTunes
2009-03-07 12:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-07 12:36 <DIR> --d----- c:\program files\Bonjour
2009-03-07 12:28 <DIR> --d----- c:\program files\MixMeister EZ Vinyl Tape Converter
2009-03-03 16:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop
2009-02-10 19:35 102,664 a------- c:\windows\system32\drivers\tmcomm.sys

==================== Find3M ====================

2009-01-27 10:58 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll
2008-06-12 03:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061220080613\index.dat

============= FINISH: 16:44:49.89 ===============

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:08:05 AM

Posted 22 March 2009 - 12:58 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 tyl604

tyl604
  • Topic Starter

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:08:05 AM

Posted 23 March 2009 - 09:18 AM

I think I have figured out how to respond now. Tried replying to the bleeping computer email and that did not work. In response to your questions:

Thank you for your assistance. This computer is located in my homeoffice about 30' from my router; it communicates with the router and is connected to the internet wirelessly via an Ativa thumbdrive; the computer always shows my signal strength as low at 24Mbps. My problem is that this computer (as long as the Ativa thumbdrive is connected) always runs with "CPU running at 100%." It runs Word and other applications OK if somewhat slowly; however the main problem is that when I try to run Lotus Organizer I often (not always) receive a message saying there is not enough memory left and recommending that I shut down some applications. This happens even when no application other than Lotus Organizer is running. Shutting down some or all of the other applications never helps and I am constantly required to reboot.

The CPU does not run at 100% if I unplug the Ativa thumbdrive; drops to 10-15%. So it must have something to do with my Ativa connection to the internet. When I bring a laptop to my office I am able to connect to the internet easily (does not use Ativa) and the laptop does not run the CPU at 100% so I know something is wrong with my big computer.

I wonder if my computer is now a zombie and something else is running, something that Task Manager does not report, and that causes the CPU to run at 100%. I have run Trend Micro's Free Housecall and find nothing.

At your request I am attaching an updated run of the DDS log and a zipped file of the Attach document.

The question again - why does this CPU run at 100% constantly as long as I am connected to the internet through the Ativa thumbdrive? What can I do to free up the CPU so Lotus Organizer will run properly? Is this slowing down other activities on my computer and is this computer a zombie?

Thanks for your help.



DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 21:09:49.43 on Sun 03/22/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1471.381 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\twain_32\A4S2_600\watch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\MSCAN\Msoffice\panel.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: ALToolbarBho Class: {7f1a79f9-78d1-4186-9f60-ee0b63df042a} - c:\program files\estsoft\altoolbar\ALToolBand_114_25.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: ALToolBar: {38fbe93d-4ca1-4414-af6a-94920c5bd8da} - c:\program files\estsoft\altoolbar\ALToolBand_114_25.dll
TB: Foxit Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Simple Star PhotoShow Media Manager] c:\progra~1\simple~2\photos~1\data\xtras\mssysmgr.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
mRun: [NVMixerTray] "c:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [DVDTray] c:\program files\hp dvd\umbrella\DVDTray.exe
mRun: [DVDBitSet] c:\program files\hp dvd\umbrella\DVDBitSet.exe /NOUI
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [PC Pitstop Optimize Reminder] c:\program files\pcpitstop\optimize2\Reminder.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\watch.lnk - c:\windows\twain_32\a4s2_600\watch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ativaw~1.lnk - c:\program files\ativa\usb awgua54\wireless utility\Ativawcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: ALToolBar &Search - c:\program files\estsoft\altoolbar\ALToolBandRes.dll/23/SEARCH.HTML
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} - hxxp://radaol-prod-web-rr.streamops.aol.com/mediaplugin/3.0.84.2/win32/unagi3.0.84.2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-3-24 42376]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-3-24 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-3-24 81288]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-4-23 201320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-4-22 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-4-23 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-3-24 747912]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-3-24 948616]
R3 A4S2600;A4S2600;c:\windows\system32\drivers\A4S2600.SYS [2008-3-24 71520]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-4-23 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-4-23 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-4-23 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-4-23 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-4-23 40488]
R3 ODWGU(Ativa);Ativa Wireless G USB Network Adapter(Ativa);c:\windows\system32\drivers\ODWGU.sys [2008-3-24 408064]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2008-12-10 7808]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;c:\program files\google\google desktop search\GoogleDesktop.exe [2008-3-24 29744]
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\drivers\hpusbwdm.sys [2004-1-5 1080832]

=============== Created Last 30 ================

2009-03-16 10:46 <DIR> --d----- c:\program files\AskBarDis
2009-03-16 10:46 <DIR> --d----- c:\docume~1\owner\applic~1\Foxit
2009-03-07 12:37 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-07 12:37 15,464 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-07 12:36 <DIR> --d----- c:\program files\iPod
2009-03-07 12:36 <DIR> --d----- c:\program files\iTunes
2009-03-07 12:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-07 12:36 <DIR> --d----- c:\program files\Bonjour
2009-03-07 12:28 <DIR> --d----- c:\program files\MixMeister EZ Vinyl Tape Converter
2009-03-03 16:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCPitstop

==================== Find3M ====================

2009-02-09 07:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-01-27 10:58 410,984 a------- c:\windows\system32\deploytk.dll
2008-06-12 03:10 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061220080613\index.dat

============= FINISH: 21:10:46.90 ===============


DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/24/2008 3:15:30 PM
System Uptime: 3/19/2009 1:26:45 PM (80 hours ago)

Motherboard: eMachines, Inc. | | MS6777
Processor: AMD Athlon™ XP 2600+ | Socket A | 1913/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 233 GiB total, 184.076 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP66: 9/10/2008 3:00:14 AM - Software Distribution Service 3.0
RP67: 9/10/2008 3:43:34 PM - Removed Opera 9.52
RP68: 9/10/2008 3:43:39 PM - Installed Opera 9.52
RP69: 9/10/2008 4:01:56 PM - Installed 7-Zip 4.57
RP70: 10/16/2008 3:00:15 AM - Software Distribution Service 3.0
RP71: 10/24/2008 3:00:14 AM - Software Distribution Service 3.0
RP72: 10/30/2008 2:21:47 PM - Removed OpenOffice.org 2.4
RP73: 10/30/2008 2:22:43 PM - Installed OpenOffice.org 3.0
RP74: 11/13/2008 3:00:15 AM - Software Distribution Service 3.0
RP75: 11/23/2008 6:58:14 AM - System Checkpoint
RP76: 11/24/2008 7:15:43 AM - System Checkpoint
RP77: 12/12/2008 3:00:15 AM - Software Distribution Service 3.0
RP78: 12/18/2008 3:00:14 AM - Software Distribution Service 3.0
RP79: 1/14/2009 3:00:15 AM - Software Distribution Service 3.0
RP80: 1/27/2009 9:58:31 AM - Installed Java™ 6 Update 11
RP81: 1/27/2009 10:01:06 AM - Removed Adobe Reader 8.1.2
RP82: 1/27/2009 10:01:28 AM - Installed Adobe Reader 8.1.3
RP83: 1/27/2009 10:04:22 AM - Removed Opera 9.52
RP84: 1/27/2009 10:04:28 AM - Installed Opera 9.63
RP85: 2/11/2009 3:00:15 AM - Software Distribution Service 3.0
RP86: 2/25/2009 3:00:14 AM - Software Distribution Service 3.0
RP87: 3/4/2009 11:32:19 AM - PC Decrapifier Restore Point
RP88: 3/7/2009 11:36:34 AM - Installed iTunes
RP89: 3/11/2009 2:00:14 AM - Software Distribution Service 3.0
RP90: 3/13/2009 2:00:15 AM - Software Distribution Service 3.0
RP91: 3/16/2009 10:48:40 AM - Removed Opera 9.63
RP92: 3/16/2009 10:48:49 AM - Installed Opera 9.64

==== Installed Programs ======================

7-Zip 4.57
ABBYY FineReader OCR Engine for Microtek
Acoustica CD/DVD Label Maker
Acoustica Effects Pack
Adobe Acrobat 6.0 Standard
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Reader 8.1.4
Adobe Shockwave Player 11
ALToolbar
ALTools Update
ALZip
Apple Mobile Device Support
Apple Software Update
ArcSoft ShowBiz 2
Ativa Wireless USB Utility
Bonjour
Camera Support Core Library
Camera Window
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon i850
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Critical Update for Windows Media Player 11 (KB959772)
DAO 3.5
Defraggler (remove only)
Digital Locker Assistant
DriveImage XML
DVD Decrypter (Remove Only)
EZ Vinyl/Tape Converter 2.1.0.9 by MixMeister
FileZilla Client 3.0.10
Foxit Reader
Foxit Toolbar
Google Desktop
Google Photos Screensaver
Google Toolbar for Internet Explorer
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HouseCall 6.6
HP DC3000
hp deskjet 656c series (Remove only)
HP Driver Diagnostics
HP DVD Movie Writer
HP Software Update
ieSpell
iPhoto Plus 4
iPod To Computer Transfer 3.5
iTunes
Java™ 6 Update 11
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6
LightScribe 1.4.89.1
McAfee SecurityCenter
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
MovieEdit Task
muvee autoProducer DVD Edition - HPC
Nero Suite
NoAdware v5.0
Norton Security Scan
NTI Backup NOW! Deluxe
NTI CD-Maker 2000 Plus
NTI FileCD
NVIDIA Drivers
NvMixer
OpenOffice.org 3.0
Opera 9.64
PhotoShow Express 4
PhotoStitch
Picasa 2
PowerDVD
Quicken Basic 99
QuickTime
RAW Image Task 1.0
RecordNow
RemoteCapture Task 1.0.2
Remove Empty Directories 2.1
ScanWizard 5
Secunia PSI
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Simple Backup
Smart Link 56K Voice Modem
Spin It Again
Spyware Doctor 5.5
TextBridge Classic
UBCD4Win 3.12
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinImage

==== Event Viewer Messages From Past Week ========

3/19/2009 11:43:04 AM, error: Print [6161] - The document http://autos.aol.com/used-list/make1-Jeep/...-Grand+Cherokee owned by Owner failed to print on printer Canon i850. Data type: NT EMF 1.008. Size of the spool file in bytes: 786432. Number of bytes printed: 223088. Total number of pages in the document: 2. Number of pages printed: 0. Client machine: \\OWNER-553C6D8F9. Win32 error code returned by the print processor: 0 (0x0).
3/18/2009 12:05:02 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer CHILTON-9P63181 that believes that it is the master browser for the domain on transport NetBT_Tcpip_{35D397FC-C33. The master browser is stopping or an election is being forced.
3/17/2009 3:28:53 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/17/2009 2:58:53 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/17/2009 2:43:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
3/15/2009 9:21:07 PM, error: Print [6161] - The document C:\Documents and Settings\Owner\Desktop\Atlanta\ATResume_Workout.pdf owned by Owner failed to print on printer Canon i850. Data type: NT EMF 1.008. Size of the spool file in bytes: 45305956. Number of bytes printed: 9825060. Total number of pages in the document: 20. Number of pages printed: 4. Client machine: \\OWNER-553C6D8F9. Win32 error code returned by the print processor: 122 (0x7a).
3/15/2009 8:29:02 PM, error: BROWSER [8007] - The browser was unable to update the service status bits. The data is the error.
3/19/2009 9:51:53 PM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00173F6B11F4. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
3/22/2009 9:04:43 PM, error: Print [6161] - The document http://webmail.aol.com/41921/aol/en-us/mai...intMessage.aspx owned by Owner failed to print on printer Canon i850. Data type: NT EMF 1.008. Size of the spool file in bytes: 103000. Number of bytes printed: 102836. Total number of pages in the document: 1. Number of pages printed: 0. Client machine: \\OWNER-553C6D8F9. Win32 error code returned by the print processor: 0 (0x0).
3/22/2009 9:09:53 PM, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.

==== End Of File ===========================

#4 tyl604

tyl604
  • Topic Starter

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:08:05 AM

Posted 23 March 2009 - 10:15 AM

Just did it again. I clicked to open Lotus Organizer and got a message: "The Win16 subsystem has insufficient resources to continue running. Click on OK, close your applications, and restart your machine."

Happens all the time on this computer. I run Lotus Organizer on all my other computers without a problem.

Edited by tyl604, 23 March 2009 - 10:16 AM.


#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 23 March 2009 - 03:55 PM

Hello.

The DDS log looks clean.

Let's see what we can find.

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.

Submit File to Online Scanner
There is a file that I would like you to check out for me using VirusTotal/VirSCAN
  • Open VirusTotal Online Scanner or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • C:\WINDOWS\twain_32\A4S2_600\watch.exe
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.

With Regards,
The Panda

#6 tyl604

tyl604
  • Topic Starter

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:08:05 AM

Posted 24 March 2009 - 08:20 AM

Attached are the files from Malwarebytes and Virustotal. Hope this helps. I also wonder if it could be (instead of a virus) just the fact that I have so much running from Startup? Maybe this is what takes all of the Win16 subsytem? Thx for the help.

Virustotal:

File avz00001.dta received on 03.21.2009 21:06:01 (CET)
Current status: finished

Result: 0/39 (0.00%)
Compact Print results
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.21 -
AhnLab-V3 5.0.0.2 2009.03.21 -
AntiVir 7.9.0.120 2009.03.21 -
Authentium 5.1.2.4 2009.03.21 -
Avast 4.8.1335.0 2009.03.20 -
AVG 8.5.0.283 2009.03.20 -
BitDefender 7.2 2009.03.21 -
CAT-QuickHeal 10.00 2009.03.21 -
ClamAV 0.94.1 2009.03.21 -
Comodo 1078 2009.03.21 -
DrWeb 4.44.0.09170 2009.03.21 -
eSafe 7.0.17.0 2009.03.19 -
eTrust-Vet 31.6.6409 2009.03.20 -
F-Prot 4.4.4.56 2009.03.20 -
F-Secure 8.0.14470.0 2009.03.21 -
Fortinet 3.117.0.0 2009.03.21 -
GData 19 2009.03.21 -
Ikarus T3.1.1.48.0 2009.03.21 -
K7AntiVirus 7.10.678 2009.03.21 -
Kaspersky 7.0.0.125 2009.03.21 -
McAfee 5560 2009.03.21 -
McAfee+Artemis 5560 2009.03.21 -
McAfee-GW-Edition 6.7.6 2009.03.21 -
Microsoft 1.4502 2009.03.21 -
NOD32 3953 2009.03.21 -
Norman 6.00.06 2009.03.20 -
nProtect 2009.1.8.0 2009.03.21 -
Panda 10.0.0.10 2009.03.21 -
PCTools 4.4.2.0 2009.03.21 -
Prevx1 V2 2009.03.21 -
Rising 21.21.52.00 2009.03.21 -
Sophos 4.39.0 2009.03.21 -
Sunbelt 3.2.1858.2 2009.03.20 -
Symantec 1.4.4.12 2009.03.21 -
TheHacker 6.3.3.1.287 2009.03.21 -
TrendMicro 8.700.0.1004 2009.03.20 -
VBA32 3.12.10.1 2009.03.20 -
ViRobot 2009.3.20.1658 2009.03.20 -
VirusBuster 4.6.5.0 2009.03.21 -
Additional information
File size: 184320 bytes
MD5...: f6eb15f07cd15c259430caafbac9c2fb
SHA1..: 07baf20d35b6f2fb99251cac0db35813aaa02b90
SHA256: f76a33c2f4ce9a1124e85b32d178000aa3616ea86e397bf48e00f9e685dc4702
SHA512: 9097421bacc3375a16d1b5583fa3bf260e2f1481e8e4ee5fbf1cd71b7750e2d6
2680ec1b2657caf18014c720466f34cd24ea46ef2266bc45e3847bb6ab634c8a
ssdeep: 1536:QrEwE/ox/rVAgMQlLaM7fM6k01mBwd7REiTfO9xdf6AAZPusZXNtFYZ:ZXo
x/RBlLaQQclNtFY

PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ 4.x (69.2%)
Win32 Executable MS Visual C++ (generic) (19.3%)
Win32 Executable Generic (4.3%)
Win32 Dynamic Link Library (generic) (3.8%)
Win16/32 Executable Delphi generic (1.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0xae80
timedatestamp.....: 0x3551968f (Thu May 07 11:10:07 1998)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xa0ec 0xa200 5.68 c528e20435b8ec6c12f00df4995eb5e8
.rdata 0xc000 0x20f0 0x2200 3.68 faf5470e6bf9021e094c32db85038c18
.data 0xf000 0x10e0 0x1000 4.77 6d023e1a09cc278746175e48041b7b0c
.idata 0x11000 0x1162 0x1200 5.47 8a21f5890f088c36505d37112d1cdb0c
.rsrc 0x13000 0x1ca90 0x1cc00 4.72 aeeeadcba0740f2ef04225a853c48253
.reloc 0x30000 0x1838 0x1a00 5.84 324944bc625117c2a8e79536ea4fc9c9

( 6 imports )
> MFC40.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -
> MSVCRT40.dll: _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, __getmainargs, _initterm, _controlfp, strlen, __CxxFrameHandler, strcat, _mbscmp, atoi, strcpy, memset, _ultoa, _setmbcp, strcmp, strncpy, __dllonexit, _onexit, _exit, _XcptFilter, exit, __p__acmdln
> KERNEL32.dll: GetProcAddress, GetVersionExA, WriteProfileStringA, WinExec, GlobalLock, GlobalUnlock, GlobalAlloc, FindResourceA, LoadResource, GlobalFree, FreeResource, GetWindowsDirectoryA, LockResource, GetPrivateProfileStringA, GetProfileStringA, WritePrivateProfileStringA, LoadLibraryA, GetTickCount, GlobalSize, lstrcpyA, Sleep, GetModuleFileNameA, GetModuleHandleA, GetStartupInfoA, GetVersion, FreeLibrary
> USER32.dll: ModifyMenuA, ReleaseDC, SetMenuDefaultItem, ShowWindow, wsprintfA, SetForegroundWindow, TrackPopupMenu, FindWindowA, GetDC, GetSubMenu, LoadIconA, EnableWindow, KillTimer, SetTimer, ScreenToClient, GetClientRect, GetWindowRect, SendMessageA, DrawIcon, GetSystemMetrics, RemoveMenu, SetWindowPos, LoadMenuA, GetCursorPos
> GDI32.dll: GetDeviceCaps, DeleteObject, SelectPalette, RealizePalette, GetStockObject, GetObjectA, CreateFontA, CreateCompatibleDC, BitBlt, CreateDIBitmap, CreatePalette, SelectObject, SetBkMode, TextOutA, GetTextExtentPoint32A
> SHELL32.dll: Shell_NotifyIconA

( 0 exports )

ThreatExpert info: http://www.threatexpert.com/report.aspx?md...430caafbac9c2fb


ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.


Malbytes:

Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 5.1.2600 Service Pack 3

3/23/2009 8:22:56 PM
mbam-log-2009-03-23 (20-22-56).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 131628
Time elapsed: 40 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 26 March 2009 - 05:40 PM

Hello.

Sorry for the delay. Shoot me a PM next time if I don't reply after 24 hours :thumbup2: .

There does not appear to be any malware.

Let's take a HijackThis log and disable some uneeded entries.

Download, Install, and Save Log with HijackThis
  • Download the installer HERE onto your desktop and double click it.
  • You may be asked for confirmation for running an executable file. Select Run.
  • You will be asked choose the install location. Please leave it at the default:
    C:\Program Files\Trend Micro\HijackThis.
  • Select Install.
  • The installation process should only take a few seconds. A shortcut named HijackThis will be created on your desktop so there will be no need to access the HijackThis program directly. The HijackThis window will pop-up after the installation.
  • Click Do a System Scan and Save a Log File.
  • The scan will complete in a moment and the log will pop-up.
  • Copy the contents of the log into your next post.

With Regards,
The Panda

#8 tyl604

tyl604
  • Topic Starter

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:08:05 AM

Posted 26 March 2009 - 07:06 PM

Installed, ran and saved log for Hijack this. Here it is:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:18:19 PM, on 3/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\WINDOWS\twain_32\A4S2_600\watch.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\MSCAN\Msoffice\panel.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: ALToolBar BHO - {7F1A79F9-78D1-4186-9F60-EE0B63DF042A} - C:\Program Files\ESTsoft\ALToolBar\ALToolBand_114_25.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ALToolBar - {38FBE93D-4CA1-4414-AF6A-94920C5BD8DA} - C:\Program Files\ESTsoft\ALToolBar\ALToolBand_114_25.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exe
O4 - Startup: Watch.lnk = C:\WINDOWS\twain_32\A4S2_600\watch.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Ativa Wireless USB Utility.lnk = C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: ALToolBar &Search - res://C:\Program Files\ESTsoft\ALToolBar\ALToolBandRes.dll/23/SEARCH.HTML
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6E704581-CCAE-46D2-9C64-20D724B3624E} (UnagiAx Class) - http://radaol-prod-web-rr.streamops.aol.co...agi3.0.84.2.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 11243 bytes

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 26 March 2009 - 07:46 PM

Hello.

Use HijackThis to Remove Uneeded Startup Entries
Programs that run automatically at startup can take up memory, causing your computer to be slow. Many of these entries are not needed.

Below is a list of entries in your HijackThis log that can be removed safely. Below each entry, you will find a brief description of it. Some are up to preference.

To remove entries you do not want, open HijackThis (if you are using Windows Vista, right click the icon and select Run As Administrator), select "Do a system scan only", put a check mark next to those entries and select "Fix checked".

If you experience any issues after removing any items, use the Backup feature to restore the items.

O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DVDTray] C:\Program Files\HP DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [DVDBitSet] C:\Program Files\HP DVD\Umbrella\DVDBitSet.exe /NOUI
O4 - HKLM\..\Run: [PC Pitstop Optimize Reminder] C:\Program Files\PCPitstop\Optimize2\Reminder.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
Do not remove the above line if you use an iPod.
O4 - HKCU\..\Run: [Simple Star PhotoShow Media Manager] C:\PROGRA~1\SIMPLE~2\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

Reboot.

Any improvement?

With Regards,
The Panda

#10 tyl604

tyl604
  • Topic Starter

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:08:05 AM

Posted 26 March 2009 - 07:49 PM

Thanks for the help; I will start now. Do you agree that my CPU should not always run at 100%?

#11 tyl604

tyl604
  • Topic Starter

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:08:05 AM

Posted 26 March 2009 - 08:09 PM

Panda - deleted everything from start up as you recommended; rebooted. Did not help. CPU still running at 100% although all I have open is the internet. Suggestions?

#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 27 March 2009 - 07:04 AM

Hello.

It definately should not be at 100 constantly.

In the Task Manager, click the Processes tab. Take note of which processes are taking high amounts os CPU.

With Regards,
The Panda

#13 tyl604

tyl604
  • Topic Starter

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:08:05 AM

Posted 27 March 2009 - 04:26 PM

Panda - if you will look at my original email you will see that I started with Task Manager. It shows about 75-80% use by System and 20-25% by Ativa. I looked into System and found that the processes listed did not add to 75-80% and asked you if this indicated a problem. I thought a couple of temporary files (which I identified) running in a temp file under System might have been a problem.

What do we do now?

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:05 AM

Posted 27 March 2009 - 05:41 PM

Hello.

Files running out of the temp folders is never good.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

Also take a new DDS.txt log please.

With Regards,
The Panda

Edited by PropagandaPanda, 27 March 2009 - 05:42 PM.


#15 tyl604

tyl604
  • Topic Starter

  • Members
  • 373 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Atlanta, GA
  • Local time:08:05 AM

Posted 27 March 2009 - 09:19 PM

Ran OTMoveIt3 and Gmer. Logs are attached. Don't forget - 100% CPU only as long as Ativa thumbdrive is working; ie. I am connected to internet. None of the scanners seemed to find the Ativa thumbdrive and I am not sure it was scanned. Wonder if it could have had an infection when I bought it? Back to your instructions:

OTMoveIt3 log:

========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE67D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFB0F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFB2A.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\mcafee_EBAwMpAntYgQ7sa scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_AN9T8Tn0XeuCSeX scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_k16Xa1jUjw0XpWx scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\mcmsc_sD89aCKxdqMIvJ6 scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7a0.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\WFV93.tmp scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Opera cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03272009_222315

Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFE67D.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFB0F.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DFFB2A.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\mcafee_EBAwMpAntYgQ7sa not found!
File C:\WINDOWS\temp\mcmsc_AN9T8Tn0XeuCSeX not found!
File C:\WINDOWS\temp\mcmsc_k16Xa1jUjw0XpWx not found!
File C:\WINDOWS\temp\mcmsc_sD89aCKxdqMIvJ6 not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7a0.dat not found!
File C:\WINDOWS\temp\WFV93.tmp not found!


Gmer:

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-27 21:55:45
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xA4915794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xA4915F1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xA4914D0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xA4914384]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA47269A8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xA4726A3F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA4726A53]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA4726A7F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA4726AED]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA4726AD7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA47269E8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA4726B19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA4726A2B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA4726930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA4726944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA47269BC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA4726B55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA4726AC1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA4726AAB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA4726A69]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA4726B41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA4726B2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA4726994]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA4726980]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xA4726A95]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA4726B03]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA47269FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA47269D2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP A47269D6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwOpenKey 80568D59 5 Bytes JMP A4726A2F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryValueKey 8056A1F2 7 Bytes JMP A4726AAF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056CDC0 5 Bytes JMP A47269AC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 8056DC01 5 Bytes JMP A4726984 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateKey 8057065D 5 Bytes JMP A4726A43 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryKey 80570A6D 7 Bytes JMP A4726B59 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 7 Bytes JMP A4726AF1 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805717C7 5 Bytes JMP A4726934 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 80571CB1 7 Bytes JMP A47269C0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetValueKey 80572889 7 Bytes JMP A4726A99 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 805736E6 5 Bytes JMP A4726A02 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80573B61 7 Bytes JMP A47269EC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058A1C9 5 Bytes JMP A4726948 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwNotifyChangeKey 8058A699 5 Bytes JMP A4726B1D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwEnumerateValueKey 80590677 7 Bytes JMP A4726ADB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteValueKey 80592D5C 7 Bytes JMP A4726A83 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwDeleteKey 805952CA 7 Bytes JMP A4726A57 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DCF7 5 Bytes JMP A4726998 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnloadKey 8064DA12 7 Bytes JMP A4726B07 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwQueryMultipleValueKey 8064E338 7 Bytes JMP A4726AC5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRenameKey 8064E7B6 7 Bytes JMP A4726A6D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwRestoreKey 8064ECA9 5 Bytes JMP A4726B31 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwReplaceKey 8064F112 5 Bytes JMP A4726B45 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[108] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[108] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[108] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[108] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[108] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[108] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe[108] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[160] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[160] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[160] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[160] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[160] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[160] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe[160] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[164] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[164] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[164] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[164] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[164] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[164] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe[164] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[216] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[216] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[216] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[216] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[216] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[216] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[216] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C340 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[216] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 0041C3C0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[452] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[452] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[452] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[452] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[452] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[452] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\McAfee\MPF\MPFSrv.exe[452] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[496] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[496] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[496] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[496] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[496] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[496] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\McAfee.com\Agent\mcagent.exe[496] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[516] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 00449CE1 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[752] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[752] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[752] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[752] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[752] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[752] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Spyware Doctor\pctsAuxs.exe[752] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\ctfmon.exe[760] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[760] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[760] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[760] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\ctfmon.exe[760] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\ctfmon.exe[760] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\ctfmon.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[900] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[900] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\csrss.exe[900] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[900] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\csrss.exe[900] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\csrss.exe[900] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\csrss.exe[900] KERNEL32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[924] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[924] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\winlogon.exe[924] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[924] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\winlogon.exe[924] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\winlogon.exe[924] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\winlogon.exe[924] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[968] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[968] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\services.exe[968] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[968] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\services.exe[968] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\services.exe[968] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01050FB9
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 010500A4
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01050093
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01050076
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01050036
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 010500BF
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01050F83
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01050106
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010500EB
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 01050121
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 01050051
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 01050FE5
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 01050F9E
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 01050FD4
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0105001B
.text C:\WINDOWS\system32\services.exe[968] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 010500DA
.text C:\WINDOWS\system32\services.exe[968] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 01040FC0
.text C:\WINDOWS\system32\services.exe[968] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 01040F80
.text C:\WINDOWS\system32\services.exe[968] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 01040011
.text C:\WINDOWS\system32\services.exe[968] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 01040FE5
.text C:\WINDOWS\system32\services.exe[968] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 01040F9B
.text C:\WINDOWS\system32\services.exe[968] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 01040000
.text C:\WINDOWS\system32\services.exe[968] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0104003D
.text C:\WINDOWS\system32\services.exe[968] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0104002C
.text C:\WINDOWS\system32\services.exe[968] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0103005D
.text C:\WINDOWS\system32\services.exe[968] msvcrt.dll!system 77C293C7 5 Bytes JMP 0103004C
.text C:\WINDOWS\system32\services.exe[968] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01030FD2
.text C:\WINDOWS\system32\services.exe[968] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01030000
.text C:\WINDOWS\system32\services.exe[968] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01030027
.text C:\WINDOWS\system32\services.exe[968] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01030FE3
.text C:\WINDOWS\system32\services.exe[968] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01020FEF
.text C:\WINDOWS\system32\lsass.exe[980] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[980] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\lsass.exe[980] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[980] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\lsass.exe[980] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\lsass.exe[980] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BA000A
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BA007B
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BA0F86
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BA0F97
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BA0FA8
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BA0FB9
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BA00A9
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BA008C
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BA0F46
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BA00D5
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00BA00FA
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00BA0040
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00BA0FEF
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00BA0F6B
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00BA0025
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00BA0FDE
.text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00BA00C4
.text C:\WINDOWS\system32\lsass.exe[980] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00B90FC3
.text C:\WINDOWS\system32\lsass.exe[980] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00B90FA8
.text C:\WINDOWS\system32\lsass.exe[980] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00B90FD4
.text C:\WINDOWS\system32\lsass.exe[980] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00B90FE5
.text C:\WINDOWS\system32\lsass.exe[980] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00B90065
.text C:\WINDOWS\system32\lsass.exe[980] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00B90000
.text C:\WINDOWS\system32\lsass.exe[980] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00B90054
.text C:\WINDOWS\system32\lsass.exe[980] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00B90039
.text C:\WINDOWS\system32\lsass.exe[980] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B80F9C
.text C:\WINDOWS\system32\lsass.exe[980] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B8001D
.text C:\WINDOWS\system32\lsass.exe[980] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B80FD2
.text C:\WINDOWS\system32\lsass.exe[980] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\lsass.exe[980] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B80FAD
.text C:\WINDOWS\system32\lsass.exe[980] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B80FEF
.text C:\WINDOWS\system32\lsass.exe[980] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00B70FEF
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C8000A
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80FAF
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C800A4
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80093
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C8006C
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C80040
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C800D7
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C800C6
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80F5C
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F6D
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00C80F4B
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00C8005B
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00C800B5
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00C80FCA
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00C80F7E
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00C7001B
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00C70F9B
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00C7000A
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00C70058
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00C70FE5
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 00C70047
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00C7002C
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C6005A
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60049
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60FE3
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60000
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C6002E
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C6001D
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BF0000
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00ED0F74
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00ED0F8F
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00ED0069
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00ED0FAC
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00ED0FD1
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00ED00A1
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00ED0F59
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00ED00D7
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00ED00B2
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00ED0F23
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00ED0058
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00ED001B
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00ED007A
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00ED0047
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00ED002C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00ED0F3E
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00EC002C
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00EC0F8A
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00EC001B
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00EC0F9B
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00EC0FAC
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [0C, 89] {OR AL, 0x89}
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00EC003D
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EB0FAA
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EB003F
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EB0FD9
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EB002E
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EB001D
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EA0FEF
.text C:\WINDOWS\System32\svchost.exe[1224] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1224] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[1224] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1224] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[1224] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[1224] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025A0000
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025A00A2
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025A0091
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025A0076
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025A0FB9
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025A0FCA
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025A00C4
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025A00B3
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025A0F61
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025A00F0
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 025A0F50
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 025A005B
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 025A001B
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 025A0F92
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 025A0FDB
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 025A0036
.text C:\WINDOWS\System32\svchost.exe[1224] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 025A00D5
.text C:\WINDOWS\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 02580FD4
.text C:\WINDOWS\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02580065
.text C:\WINDOWS\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 02580FEF
.text C:\WINDOWS\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0258001B
.text C:\WINDOWS\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 02580FA8
.text C:\WINDOWS\System32\svchost.exe[1224] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02580000
.text C:\WINDOWS\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0258004A
.text C:\WINDOWS\System32\svchost.exe[1224] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 02580FB9
.text C:\WINDOWS\System32\svchost.exe[1224] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02570064
.text C:\WINDOWS\System32\svchost.exe[1224] msvcrt.dll!system 77C293C7 5 Bytes JMP 02570053
.text C:\WINDOWS\System32\svchost.exe[1224] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0257001D
.text C:\WINDOWS\System32\svchost.exe[1224] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02570FEF
.text C:\WINDOWS\System32\svchost.exe[1224] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02570038
.text C:\WINDOWS\System32\svchost.exe[1224] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0257000C
.text C:\WINDOWS\System32\svchost.exe[1224] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02560FEF
.text C:\WINDOWS\System32\svchost.exe[1224] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02590FEF
.text C:\WINDOWS\System32\svchost.exe[1224] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 0259000A
.text C:\WINDOWS\System32\svchost.exe[1224] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 0259001B
.text C:\WINDOWS\System32\svchost.exe[1224] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02590FCA
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[1244] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[1244] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[1244] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[1244] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[1244] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[1244] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe[1244] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Secunia\PSI\psi.exe[1252] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Secunia\PSI\psi.exe[1252] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\Secunia\PSI\psi.exe[1252] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Secunia\PSI\psi.exe[1252] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\Secunia\PSI\psi.exe[1252] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Secunia\PSI\psi.exe[1252] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Secunia\PSI\psi.exe[1252] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe[1272] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe[1272] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe[1272] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe[1272] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe[1272] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe[1272] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Ativa\USB AWGUA54\Wireless Utility\Ativawcui.exe[1272] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1308] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00870FEF
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00870F9E
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00870089
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00870078
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00870051
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00870025
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008700A4
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00870F68
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00870F26
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 008700BF
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 008700DA
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00870036
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00870FDE
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00870F79
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00870014
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00870FC3
.text C:\WINDOWS\system32\svchost.exe[1308] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00870F4B
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00860FB2
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00860F83
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00860FC3
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00860FD4
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00860040
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00860FE5
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 0086002F
.text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0086001E
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00850070
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!system 77C293C7 5 Bytes JMP 0085005F
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0085003A
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00850000
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00850FE5
.text C:\WINDOWS\system32\svchost.exe[1308] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0085001D
.text C:\WINDOWS\system32\svchost.exe[1308] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00840FE5
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D20F41
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20F52
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20036
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20F79
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D20FAF
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20F0E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D20F1F
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D20096
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D20EFD
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 00D200A7
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 00D20F9E
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 00D20F30
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 00D20FE5
.text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 00D2007B
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00AB0FE5
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00AB0F94
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 00AB0036
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00AB0025
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00AB0FAF
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00AB0FCA
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [CB, 88]
.text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00AB0051
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AA0064
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AA0049
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AA002E
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AA0000
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AA0FE3
.text C:\WINDOWS\system32\svchost.exe[1372] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AA001D
.text C:\WINDOWS\system32\svchost.exe[1372] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A90000
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 00AC0FEF
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 00AC000A
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 00AC0FD4
.text C:\WINDOWS\system32\svchost.exe[1372] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 00AC0025
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1624] kernel32.dll!CreateThread + 1B 7C8106E2 3 Bytes CALL 00449EBE C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\WINDOWS\system32\spoolsv.exe[1720] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1720] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1720] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1720] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\spoolsv.exe[1720] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\spoolsv.exe[1720] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\spoolsv.exe[1720] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1896] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1896] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1896] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1896] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1896] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1896] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe[1896] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Bonjour\mDNSResponder.exe[1908] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1908] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1908] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1908] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1908] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Bonjour\mDNSResponder.exe[1908] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Bonjour\mDNSResponder.exe[1908] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Java\jre6\bin\jqs.exe[1952] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\Explorer.EXE[1960] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02380000
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02380087
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02380F92
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02380FA3
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02380062
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02380051
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 023800D3
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 023800B8
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 023800F5
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 023800E4
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 02380F4B
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 02380FCA
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 0238001B
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 02380F81
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 02380FE5
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 0238002C
.text C:\WINDOWS\Explorer.EXE[1960] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 02380F66
.text C:\WINDOWS\Explorer.EXE[1960] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0236003D
.text C:\WINDOWS\Explorer.EXE[1960] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 02360FAC
.text C:\WINDOWS\Explorer.EXE[1960] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0236002C
.text C:\WINDOWS\Explorer.EXE[1960] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 0236001B
.text C:\WINDOWS\Explorer.EXE[1960] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 0236005F
.text C:\WINDOWS\Explorer.EXE[1960] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 02360000
.text C:\WINDOWS\Explorer.EXE[1960] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 02360FC7
.text C:\WINDOWS\Explorer.EXE[1960] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [56, 8A]
.text C:\WINDOWS\Explorer.EXE[1960] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 0236004E
.text C:\WINDOWS\Explorer.EXE[1960] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0235004E
.text C:\WINDOWS\Explorer.EXE[1960] msvcrt.dll!system 77C293C7 5 Bytes JMP 0235003D
.text C:\WINDOWS\Explorer.EXE[1960] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02350FDE
.text C:\WINDOWS\Explorer.EXE[1960] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02350000
.text C:\WINDOWS\Explorer.EXE[1960] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02350FC3
.text C:\WINDOWS\Explorer.EXE[1960] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02350FEF
.text C:\WINDOWS\Explorer.EXE[1960] WININET.dll!InternetOpenA 7806C865 5 Bytes JMP 02370FEF
.text C:\WINDOWS\Explorer.EXE[1960] WININET.dll!InternetOpenW 7806CE99 5 Bytes JMP 02370000
.text C:\WINDOWS\Explorer.EXE[1960] WININET.dll!InternetOpenUrlA 78070BCA 5 Bytes JMP 02370FCA
.text C:\WINDOWS\Explorer.EXE[1960] WININET.dll!InternetOpenUrlW 780BAEB9 5 Bytes JMP 02370FB9
.text C:\WINDOWS\Explorer.EXE[1960] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0234000A
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2008] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2008] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2008] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2008] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2008] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2008] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[2008] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\slserv.exe[2596] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\slserv.exe[2596] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\slserv.exe[2596] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\slserv.exe[2596] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\WINDOWS\system32\slserv.exe[2596] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\slserv.exe[2596] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\system32\slserv.exe[2596] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[2640] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2640] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\svchost.exe[2640] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2640] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\svchost.exe[2640] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\svchost.exe[2640] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F66
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F81
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F9E
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0040
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F1D
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F44
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0091
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0080
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A00AC
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A005B
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A001B
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0F55
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\system32\svchost.exe[2640] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A0F0C
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 0029003D
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290FA5
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0029002C
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290011
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290062
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290000
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FC0
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [49, 88]
.text C:\WINDOWS\system32\svchost.exe[2640] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FDB
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0F89
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0F9A
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E000A
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0FB5
.text C:\WINDOWS\system32\svchost.exe[2640] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FC6
.text C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\Exec\gmer.exe[2768] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\Exec\gmer.exe[2768] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\Exec\gmer.exe[2768] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\Exec\gmer.exe[2768] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\Exec\gmer.exe[2768] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\Exec\gmer.exe[2768] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\Exec\gmer.exe[2768] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\Owner\Local Settings\Temp\_AZTMP0_\Exec\gmer.exe[2768] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\alg.exe[3004] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\WINDOWS\System32\alg.exe[3004] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\alg.exe[3004] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\svchost.exe[3336] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3336] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\System32\svchost.exe[3336] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3336] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\System32\svchost.exe[3336] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\System32\svchost.exe[3336] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A005E
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F69
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F86
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0FA1
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FB2
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00A0
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0F4E
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00CC
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F33
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001A0F18
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001A0043
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001A000A
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001A0079
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!WinExec 7C8623AD 1 Byte [E9]
.text C:\WINDOWS\System32\svchost.exe[3336] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001A00B1
.text C:\WINDOWS\System32\svchost.exe[3336] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 00290025
.text C:\WINDOWS\System32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 00290079
.text C:\WINDOWS\System32\svchost.exe[3336] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 0029000A
.text C:\WINDOWS\System32\svchost.exe[3336] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 00290FD4
.text C:\WINDOWS\System32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 00290054
.text C:\WINDOWS\System32\svchost.exe[3336] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 00290FE5
.text C:\WINDOWS\System32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyW 77DFBA25 2 Bytes JMP 00290FB2
.text C:\WINDOWS\System32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA28 2 Bytes [49, 88]
.text C:\WINDOWS\System32\svchost.exe[3336] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 00290FC3
.text C:\WINDOWS\System32\svchost.exe[3336] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 003E0042
.text C:\WINDOWS\System32\svchost.exe[3336] msvcrt.dll!system 77C293C7 5 Bytes JMP 003E0FB7
.text C:\WINDOWS\System32\svchost.exe[3336] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 003E0FD2
.text C:\WINDOWS\System32\svchost.exe[3336] msvcrt.dll!_open 77C2F566 5 Bytes JMP 003E0000
.text C:\WINDOWS\System32\svchost.exe[3336] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 003E0027
.text C:\WINDOWS\System32\svchost.exe[3336] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 003E0FEF
.text C:\WINDOWS\System32\svchost.exe[3336] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00760FEF
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3880] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3880] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3880] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3880] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0B, 5F]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3880] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3880] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0E, 5F] {PUSH CS; POP EDI}
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3880] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe[3880] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wuauclt.exe[4056] ntdll.dll!NtCreateSection 7C90D160 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[4056] ntdll.dll!NtCreateSection + 4 7C90D164 2 Bytes [05, 5F]
.text C:\WINDOWS\system32\wuauclt.exe[4056] ntdll.dll!NtTerminateProcess 7C90DE50 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[4056] ntdll.dll!NtTerminateProcess + 4 7C90DE54 2 Bytes [0C, 5F] {OR AL, 0x5f}
.text C:\WINDOWS\system32\wuauclt.exe[4056] ntdll.dll!NtWriteVirtualMemory 7C90DF90 3 Bytes [FF, 25, 1E]
.text C:\WINDOWS\system32\wuauclt.exe[4056] ntdll.dll!NtWriteVirtualMemory + 4 7C90DF94 2 Bytes [0F, 5F]
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0F81
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B006C
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B005B
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B00B8
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F70
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00E4
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F55
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!GetProcAddress 7C80AE30 5 Bytes JMP 001B0109
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!LoadLibraryW 7C80AEDB 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!CreatePipe 7C81D827 5 Bytes JMP 001B009B
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!CreateNamedPipeW 7C82F0C5 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!CreateNamedPipeA 7C860B7C 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[4056] kernel32.dll!WinExec 7C8623AD 5 Bytes JMP 001B00C9
.text C:\WINDOWS\system32\wuauclt.exe[4056] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0042
.text C:\WINDOWS\system32\wuauclt.exe[4056] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FAD
.text C:\WINDOWS\system32\wuauclt.exe[4056] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A001D
.text C:\WINDOWS\system32\wuauclt.exe[4056] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\system32\wuauclt.exe[4056] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC8
.text C:\WINDOWS\system32\wuauclt.exe[4056] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A000C
.text C:\WINDOWS\system32\wuauclt.exe[4056] ADVAPI32.dll!RegOpenKeyExW 77DD6A9F 5 Bytes JMP 002B001B
.text C:\WINDOWS\system32\wuauclt.exe[4056] ADVAPI32.dll!RegCreateKeyExW 77DD775C 5 Bytes JMP 002B0FAF
.text C:\WINDOWS\system32\wuauclt.exe[4056] ADVAPI32.dll!RegOpenKeyExA 77DD7842 5 Bytes JMP 002B0FD4
.text C:\WINDOWS\system32\wuauclt.exe[4056] ADVAPI32.dll!RegOpenKeyW 77DD7936 5 Bytes JMP 002B0FE5
.text C:\WINDOWS\system32\wuauclt.exe[4056] ADVAPI32.dll!RegCreateKeyExA 77DDE9E4 5 Bytes JMP 002B006C
.text C:\WINDOWS\system32\wuauclt.exe[4056] ADVAPI32.dll!RegOpenKeyA 77DDEFB8 5 Bytes JMP 002B0000
.text C:\WINDOWS\system32\wuauclt.exe[4056] ADVAPI32.dll!RegCreateKeyW 77DFBA25 5 Bytes JMP 002B0051
.text C:\WINDOWS\system32\wuauclt.exe[4056] ADVAPI32.dll!RegCreateKeyA 77DFBCC3 5 Bytes JMP 002B0036
.text C:\WINDOWS\system32\wuauclt.exe[4056] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[968] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\services.exe[968] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\services.exe[968] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\services.exe[968] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\lsass.exe[980] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\lsass.exe[980] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\lsass.exe[980] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\lsass.exe[980] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\lsass.exe[980] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\lsass.exe[980] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\lsass.exe[980] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1124] @ c:\windows\system32\rpcss.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1184] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1184] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1184] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1184] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1184] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1184] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1184] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1184] @ c:\windows\system32\rpcss.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[1224] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1308] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1308] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1308] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1308] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1308] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1308] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1308] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1372] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1372] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1372] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1372] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1372] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1372] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1372] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[1372] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[1960] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[1960] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[1960] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[1960] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[1960] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[1960] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[1960] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[1960] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\Explorer.EXE[1960] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[2640] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[2640] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[2640] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[2640] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[2640] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[2640] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[2640] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\svchost.exe[2640] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3336] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3336] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3336] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3336] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3336] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3336] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\System32\svchost.exe[3336] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\wuauclt.exe[4056] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\wuauclt.exe[4056] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\wuauclt.exe[4056] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\wuauclt.exe[4056] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\wuauclt.exe[4056] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] 5F080000
IAT C:\WINDOWS\system32\wuauclt.exe[4056] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] 5F080000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}@DhcpServer 255.255.255.255
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}@Lease 3600
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}@LeaseObtainedTime 1238200930
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}@T1 1238202730
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}@T2 1238204080
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}@LeaseTerminatesTime 1238204530
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}@DhcpRetryTime 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}@DhcpRetryStatus 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}@DhcpSubnetMask 255.0.0.0
Reg HKLM\SYSTEM\CurrentControlSet\Services\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}\Parameters\Tcpip@DhcpSubnetMask 255.0.0.0
Reg HKLM\SYSTEM\CurrentControlSet\Services\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}\Parameters\Tcpip@DhcpServer 255.255.255.255
Reg HKLM\SYSTEM\CurrentControlSet\Services\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}\Parameters\Tcpip@Lease 3600
Reg HKLM\SYSTEM\CurrentControlSet\Services\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}\Parameters\Tcpip@LeaseObtainedTime 1238200930
Reg HKLM\SYSTEM\CurrentControlSet\Services\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}\Parameters\Tcpip@T1 1238202730
Reg HKLM\SYSTEM\CurrentControlSet\Services\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}\Parameters\Tcpip@T2 1238204080
Reg HKLM\SYSTEM\CurrentControlSet\Services\{3729A4A8-7D54-46B0-9696-2BE9799D8A63}\Parameters\Tcpip@LeaseTerminatesTime 1238204530
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 77
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{02EE9E7C-C70F-A2A0-1973-7C3971A7EB1F}

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\config\default.LOG (size mismatch) 1024/8192 bytes
File C:\WINDOWS\system32\config\system.LOG (size mismatch) 12288/1024 bytes
File C:\WINDOWS\Temp\mcmsc_fg7osSpI9Vnvzwq 0 bytes

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users