Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Infected with seres.exe, svcst.exe , can't reboot


  • This topic is locked This topic is locked
31 replies to this topic

#1 grawns

grawns

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 22 October 2009 - 11:32 AM

Hi all and a multitude of thanks

First post and I don't know if this has been answered already ( i have read several variations of my problem but none exactly the same). My problem first occured 2 weeks ago and Mcaffee technicians fixed it ( or so they thought). Anti-virus pro 2010 had disabled Mcaffee and refused to let me update or reinstall mcaffe. After their fix I uninstalled explorer and installed Mozilla Firefox and when the problem reoccured , anti-virus 2010 I notified mcaffee and I got an email back asking 50 to fix it. After 1 whole day on the phone last time I didn't feel like paying them anymore and decided to cancel my subscription.

So I uninstalled mcaffe and tried to install avg. What a dumbass I am as it turned out I couldn't. I thought I would be safe with System restore and I could install there but that doesn't work. Now I have no antivirus installed. I did some searching and was kindly pointed here where I downloaded malwarebytes but the bad files can't be deleted on reboot as I get blue screen from windows.

I can't find my original xp cd so from previous posts I have burned a windows recovery console iso.

Here are the reports

Good luck and thanks



DDS (Ver_09-10-13.01) - NTFSx86
Run by Grainne at 15:39:19.62 on 22/10/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.510.222 [GMT 1:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Grainne\Application Data\seres.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Grainne\Application Data\svcst.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Grainne\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.ie/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.euro.dell.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
mWinlogon: Shell=Explorer.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus DX8400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticee.exe /fu "c:\windows\temp\E_S4F2A.tmp" /EF "HKCU"
uRun: [mserv] c:\documents and settings\grainne\application data\seres.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
dRun: [ntias64] rundll32.exe "c:\documents and settings\localservice\local settings\application data\ntias64\ntias64.dll", DllInit
dRun: [mserv] c:\documents and settings\localservice\application data\seres.exe
dRun: [svchost] c:\documents and settings\localservice\application data\svcst.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} - hxxp://www.ipix.com/viewers/ipixx.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,96/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/53/install/gtdownls.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45}
TCP: {D7325F9D-25C1-4169-9916-08435B44A722} = 62.231.32.10,62.231.32.11
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\grainne\applic~1\mozilla\firefox\profiles\7j8u1j7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R2 ithsgt;ithsgt;c:\windows\system32\drivers\ithsgt.sys [2006-5-13 162432]
R2 lilsgt;lilsgt;c:\windows\system32\drivers\lilsgt.sys [2006-5-13 12032]
R3 Tetris;Tetris driver;c:\windows\system32\drivers\Tetris.sys [2006-5-13 48928]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-2 210216]
SUnknown nylugt;nylugt; [x]

=============== Created Last 30 ================

2009-10-22 15:05 45,056 -------- c:\docume~1\grainne\applic~1\svcst.exe
2009-10-21 10:15 <DIR> --d----- c:\program files\AVG
2009-10-20 17:31 <DIR> --d----- c:\docume~1\grainne\applic~1\Malwarebytes
2009-10-20 17:31 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 17:31 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-20 17:31 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 17:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-10-20 14:04 159,856 a------- c:\docume~1\grainne\applic~1\lizkavd.exe
2009-10-20 12:49 <DIR> --d----- C:\$AVG
2009-10-20 12:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg9
2009-10-20 12:31 7,849 a------- c:\windows\system32\Config.MPF
2009-10-16 17:56 45,056 a------- c:\docume~1\grainne\applic~1\seres.exe
2009-10-09 09:41 411,368 a------- c:\windows\system32\deploytk.dll
2009-10-02 17:06 <DIR> --d----- c:\program files\common files\McAfee
2009-10-02 17:06 <DIR> --d----- c:\program files\McAfee.com
2009-10-02 16:28 <DIR> --d----- C:\!KillBox
2009-10-02 15:17 18,946 a------- c:\program files\common files\fufuv.pif
2009-10-02 15:17 17,193 a------- c:\program files\common files\ytyra.dat
2009-10-02 15:17 13,570 a------- c:\windows\yvyp.sys
2009-10-02 14:55 <DIR> --d----- c:\windows\pss
2009-10-02 09:54 15,584 a------- c:\program files\common files\hijemygaso.dat
2009-10-02 09:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Citrix
2009-10-02 09:18 <DIR> --d----- c:\program files\Citrix
2009-10-02 09:18 61,224 a------- c:\documents and settings\grainne\GoToAssistDownloadHelper.exe

==================== Find3M ====================

2009-09-11 15:18 136,192 a------- c:\windows\system32\msv1_0.dll
2009-09-11 15:18 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-09-04 22:03 58,880 a------- c:\windows\system32\msasn1.dll
2009-09-04 22:03 58,880 -------- c:\windows\system32\dllcache\msasn1.dll
2009-08-28 11:28 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-08-28 11:28 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-08-27 06:18 634,648 a------- c:\windows\system32\dllcache\iexplore.exe
2009-08-27 06:18 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-08-26 09:00 247,326 a------- c:\windows\system32\strmdll.dll
2009-08-26 09:00 247,326 a------- c:\windows\system32\dllcache\strmdll.dll
2009-08-13 16:16 512,000 -------- c:\windows\system32\dllcache\jscript.dll
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 20:44 2,189,184 a------- c:\windows\system32\ntoskrnl.exe
2009-08-04 20:44 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2009-08-04 16:13 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-08-04 15:20 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe
2009-08-04 15:20 2,066,048 a------- c:\windows\system32\ntkrnlpa.exe
2009-08-04 15:20 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-01 18:32 21,808 ac------ c:\docume~1\grainne\applic~1\GDIPFONTCACHEV1.DAT
2005-04-27 16:50 1,094,021 a------- c:\documents and settings\grainne\dvdshrink32setup.zip
2005-05-03 22:00 56 -c-sh--- c:\windows\system32\D0A08AF5D6.sys
2006-02-18 18:37 11,690 ac-sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-11 12:12 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091120080912\index.dat

============= FINISH: 15:40:59.79 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 grawns

grawns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 27 October 2009 - 10:31 AM

Hi Guys

Just an update as I will be going to UK on Friday 30th for 10 days. Have Mcafee reinstalled but I think this has made things worse so will probably uninstall again. Mcafee finds no virus. Malwarebytes still finds Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
Still get blue screen on reboot so can't delete pesky str.sys.

Thanks

#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 31 October 2009 - 10:54 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days without previous notification if a topic is not replied to we assume it has been abandoned and it is closed.

I will keep your topic opened for the next 10 days until you come back from the UK. :(

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 05 November 2009 - 05:26 PM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
_temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 11 November 2009 - 05:46 AM

Hi,

topic reopened. Please post your logs.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 grawns

grawns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 11 November 2009 - 09:55 AM

OTL did not generate an extra.txt, I downloaded it twice but still no extra.

I ran it in safe mode and in last known good configuration ( the one which I am posting here)

Thanks for your assistance :(

OTL logfile created on: 11/11/2009 14:22:06 - Run 3
OTL by OldTimer - Version 3.1.5.0 Folder = C:\Documents and Settings\Grainne\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00001809 | Country: Ireland | Language: ENI | Date Format: dd/MM/yyyy

509.98 Mb Total Physical Memory | 130.50 Mb Available Physical Memory | 25.59% Memory free
1.22 Gb Paging File | 0.88 Gb Available in Paging File | 72.13% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.44 Gb Total Space | 33.09 Gb Free Space | 44.45% Space Free | Partition Type: NTFS
Drive D: | 7.35 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: GATELODGE
Current User Name: Grainne
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/11 10:31:04 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Grainne\Desktop\OTL.exe
PRC - [2009/10/09 08:40:17 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/09 08:40:16 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/09/17 14:29:04 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/09/17 14:29:04 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/09/16 11:23:32 | 00,262,160 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe
PRC - [2009/09/16 10:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 09:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/09/15 10:23:54 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/02/06 10:10:02 | 00,227,840 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\wmiprvse.exe
PRC - [2008/04/14 00:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/09/20 08:36:20 | 00,114,688 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/09/20 08:32:24 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/05/04 16:21:42 | 00,278,528 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2005/05/04 16:21:26 | 00,327,680 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2004/12/06 00:05:00 | 00,127,035 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfswctrl.exe
PRC - [2004/09/22 17:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
PRC - [2004/04/26 07:04:14 | 00,053,248 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
PRC - [2004/02/13 09:47:02 | 00,155,648 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\OpenManage\Client\Iap.exe


========== Modules (SafeList) ==========

MOD - [2009/11/11 10:31:04 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Grainne\Desktop\OTL.exe
MOD - [2008/04/14 00:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/14 00:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/09 08:40:16 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/10/02 13:02:56 | 00,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\MskSrver.exe -- (MSK80Service)
SRV - [2009/09/17 14:29:04 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/09/16 11:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 10:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 09:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/09/15 10:23:54 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 10:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 10:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/14 00:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2005/05/04 16:21:26 | 00,327,680 | ---- | M] (Apple Computer, Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPodService)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/09/22 17:46:10 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf)
SRV - [2004/02/13 09:47:02 | 00,155,648 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\OpenManage\Client\Iap.exe -- (Iap)
SRV - [2003/03/03 12:33:40 | 00,143,360 | ---- | M] (Intel® Corporation) -- C:\Program Files\Intel\NCS\Sync\NetSvc.exe -- (NetSvc)


========== Driver Services (SafeList) ==========

DRV - [2009/09/16 10:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 10:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 10:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 10:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 10:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 12:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/05/09 00:14:20 | 00,014,736 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/11/20 19:19:06 | 00,043,872 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2008/04/13 18:45:36 | 00,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbser.sys -- (usbser)
DRV - [2008/04/13 18:36:39 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/13 18:36:39 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2007/11/13 10:25:53 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2007/04/03 12:57:54 | 00,099,080 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s116unic.sys -- (s116unic)
DRV - [2007/04/03 12:57:52 | 00,098,696 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s116obex.sys -- (s116obex)
DRV - [2007/04/03 12:57:52 | 00,023,176 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s116nd5.sys -- (s116nd5)
DRV - [2007/04/03 12:57:50 | 00,100,488 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s116mgmt.sys -- (s116mgmt)
DRV - [2007/04/03 12:57:48 | 00,108,680 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s116mdm.sys -- (s116mdm)
DRV - [2007/04/03 12:57:48 | 00,015,112 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s116mdfl.sys -- (s116mdfl)
DRV - [2007/04/03 12:57:42 | 00,083,336 | ---- | M] (MCCI Corporation) -- C:\WINDOWS\system32\drivers\s116bus.sys -- (s116bus)
DRV - [2006/05/13 13:31:39 | 00,048,928 | ---- | M] () -- C:\WINDOWS\system32\drivers\Tetris.sys -- (Tetris)
DRV - [2006/05/13 13:31:08 | 00,162,432 | ---- | M] () -- C:\WINDOWS\system32\drivers\ithsgt.sys -- (ithsgt)
DRV - [2006/05/13 13:31:08 | 00,012,032 | ---- | M] () -- C:\WINDOWS\system32\drivers\lilsgt.sys -- (lilsgt)
DRV - [2005/09/20 09:00:54 | 01,302,332 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\ialmnt5.sys -- (ialm)
DRV - [2005/03/07 10:52:48 | 00,014,408 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2004/12/06 00:05:00 | 00,100,603 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudfa.sys -- (tfsnudfa)
DRV - [2004/12/06 00:05:00 | 00,098,714 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnudf.sys -- (tfsnudf)
DRV - [2004/12/06 00:05:00 | 00,086,586 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnifs.sys -- (tfsnifs)
DRV - [2004/12/06 00:05:00 | 00,034,843 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsncofs.sys -- (tfsncofs)
DRV - [2004/12/06 00:05:00 | 00,025,883 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnboio.sys -- (tfsnboio)
DRV - [2004/12/06 00:05:00 | 00,015,227 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnopio.sys -- (tfsnopio)
DRV - [2004/12/06 00:05:00 | 00,006,363 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsnpool.sys -- (tfsnpool)
DRV - [2004/12/06 00:05:00 | 00,004,123 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndrct.sys -- (tfsndrct)
DRV - [2004/12/06 00:05:00 | 00,002,239 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfsndres.sys -- (tfsndres)
DRV - [2004/12/01 02:22:00 | 00,087,488 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvmcdb.sys -- (drvmcdb)
DRV - [2004/11/23 01:56:00 | 00,040,480 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\drvnddm.sys -- (drvnddm)
DRV - [2004/08/04 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/08/03 21:29:56 | 01,897,408 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2004/07/14 10:29:04 | 00,005,627 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\sscdbhk5.sys -- (sscdbhk5)
DRV - [2004/07/14 10:28:50 | 00,023,545 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\ssrtln.sys -- (ssrtln)
DRV - [2004/02/13 09:46:00 | 00,017,153 | ---- | M] (Dell Inc) -- C:\WINDOWS\system32\drivers\omci.sys -- (omci)
DRV - [2003/05/06 13:14:34 | 00,580,992 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm)
DRV - [2003/03/04 17:56:26 | 00,145,408 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e100b325.sys -- (E100B)
DRV - [2002/04/01 19:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio)
DRV - [2001/08/17 13:07:44 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 13:07:42 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 13:07:40 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 13:07:36 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 13:07:34 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 12:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1)
DRV - [2001/08/17 12:52:22 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 12:52:20 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 12:52:20 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 12:52:18 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 12:52:16 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 12:52:12 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 12:52:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 12:51:58 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 12:51:56 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 12:51:54 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
IE - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerm...tf8&oe=utf8
IE - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
IE - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\S-1-5-21-3195390456-3017033181-1577977735-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.ie/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.8
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.3

FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/02 02:02:44 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/10/09 08:40:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/10/26 13:27:43 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/10/17 14:09:26 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/10/17 13:45:25 | 00,000,000 | ---D | M]

[2009/10/17 14:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Grainne\Application Data\Mozilla\Extensions
[2009/10/17 14:09:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Grainne\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/10/26 14:29:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Grainne\Application Data\Mozilla\Firefox\Profiles\7j8u1j7s.default\extensions
[2009/10/17 16:40:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Grainne\Application Data\Mozilla\Firefox\Profiles\7j8u1j7s.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/10/17 13:45:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/10/17 13:45:27 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/08/24 20:17:45 | 00,023,544 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/08/24 20:17:45 | 00,137,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2009/08/24 20:17:45 | 00,065,016 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2009/08/24 19:10:36 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/08/24 19:10:36 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/10/20 13:06:44 | 00,002,273 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\avg_igeared.xml
[2009/08/24 19:10:36 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/08/24 19:10:36 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/24 19:10:36 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/08/24 19:10:36 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/24 19:10:36 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/08/24 19:10:36 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (McAfee Phishing Filter) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - c:\Program Files\McAfee\MSK\mskapbho.dll ()
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll File not found
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (EpsonToolBandKicker Class) - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\..\Toolbar\WebBrowser: (EPSON Web-To-Page) - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\epson\EPSON Web-To-Page\EPSON Web-To-Page.dll (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [DVDLauncher] C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe (CyberLink Corp.)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Computer, Inc.)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKU\.DEFAULT..\Run: [mserv] C:\Documents and Settings\LocalService\Application Data\seres.exe File not found
O4 - HKU\.DEFAULT..\Run: [ntias64] File not found
O4 - HKU\.DEFAULT..\Run: [svchost] C:\Documents and Settings\LocalService\Application Data\svcst.exe File not found
O4 - HKU\.DEFAULT..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
O4 - HKU\S-1-5-18..\Run: [mserv] C:\Documents and Settings\LocalService\Application Data\seres.exe File not found
O4 - HKU\S-1-5-18..\Run: [ntias64] File not found
O4 - HKU\S-1-5-18..\Run: [svchost] C:\Documents and Settings\LocalService\Application Data\svcst.exe File not found
O4 - HKU\S-1-5-18..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
O4 - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006..\Run: [EPSON Stylus DX8400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICEE.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006..\Run: [mserv] C:\Documents and Settings\Grainne\Application Data\seres.exe ()
O4 - HKLM..\RunOnceEx: [] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Adobe Systems Incorporated)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableProfileQuota = 1
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\..Trusted Domains: internet ([]about in Trusted sites)
O15 - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\..Trusted Domains: mcafee.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-3195390456-3017033181-1577977735-1006\..Trusted Domains: mcafee.com ([]https in Trusted sites)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} http://www.ipix.com/viewers/ipixx.cab (iPIX ActiveX Control)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Reg Error: Key error.)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/8/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/m...96/mcinsctl.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} http://www.linksysfix.com/netcheck/53/install/gtdownls.cab (LinkSys Content Update)
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_04)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_06)
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_09)
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_10)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_02)
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} Reg Error: Key error. (Reg Error: Key error.)
O18 - Protocol\Handler\cdo {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 12:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/11 10:30:59 | 00,529,408 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Grainne\Desktop\OTL.exe
[2009/11/02 13:05:49 | 00,245,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\unicows.dll
[2009/10/26 13:17:00 | 00,023,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\psapi.dll
[2009/10/26 13:12:57 | 00,079,816 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys
[2009/10/26 13:12:57 | 00,040,552 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys
[2009/10/26 13:12:57 | 00,035,272 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys
[2009/10/26 13:12:56 | 00,214,664 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys
[2009/10/26 13:12:46 | 00,120,136 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\Mpfp.sys
[2009/10/26 13:03:49 | 00,034,248 | ---- | C] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys
[2009/10/26 12:57:45 | 01,296,288 | ---- | C] (McAfee, Inc.) -- C:\Documents and Settings\Grainne\Desktop\DMSetup.exe
[2009/10/22 15:07:45 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Grainne\Desktop\Rootrepeal files
[2009/10/22 15:02:51 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Grainne\Desktop\RootRepeal.exe
[2009/10/21 09:15:42 | 00,000,000 | ---D | C] -- C:\Program Files\AVG
[2009/10/20 16:31:42 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Grainne\Application Data\Malwarebytes
[2009/10/20 16:31:36 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/10/20 16:31:35 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/10/20 16:31:35 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/10/20 16:31:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/10/20 11:49:07 | 00,000,000 | ---D | C] -- C:\$AVG
[2009/10/20 11:47:27 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\avg9
[2009/10/20 11:32:35 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Grainne\Desktop\222959_files
[2009/10/20 11:31:17 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2009/10/20 10:32:00 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Grainne\My Documents\Downloads
[2009/10/17 14:09:17 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Grainne\Local Settings\Application Data\Mozilla
[2009/10/17 13:58:20 | 00,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2009/10/17 13:53:49 | 00,005,632 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\write.exe
[2009/10/17 13:53:46 | 00,184,320 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\accwiz.exe
[2009/10/17 13:53:45 | 00,138,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sndvol32.exe
[2009/10/17 13:53:45 | 00,131,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sndrec32.exe
[2009/10/17 13:53:45 | 00,123,392 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mplay32.exe
[2009/10/17 13:53:45 | 00,068,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\access.cpl
[2009/10/17 13:53:44 | 00,347,136 | ---- | C] (Hilgraeve, Inc.) -- C:\WINDOWS\System32\hypertrm.dll
[2009/10/17 13:53:44 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\avtapi.dll
[2009/10/17 13:53:44 | 00,073,216 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\avwav.dll
[2009/10/17 13:53:44 | 00,044,544 | ---- | C] (Hilgraeve, Inc.) -- C:\WINDOWS\System32\hticons.dll
[2009/10/17 13:53:44 | 00,016,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\avmeter.dll
[2009/10/17 13:53:43 | 00,343,040 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mspaint.exe
[2009/10/17 13:53:43 | 00,035,328 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winchat.exe
[2009/10/17 13:53:37 | 00,102,912 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\clipbrd.exe
[2009/10/17 13:53:36 | 00,605,696 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\getuname.dll
[2009/10/17 13:53:36 | 00,114,688 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\calc.exe
[2009/10/17 13:53:36 | 00,080,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\charmap.exe
[2009/10/17 13:53:35 | 00,538,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\spider.exe
[2009/10/17 13:53:35 | 00,126,976 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\mshearts.exe
[2009/10/17 13:53:35 | 00,119,808 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\winmine.exe
[2009/10/17 13:53:35 | 00,056,832 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\sol.exe
[2009/10/17 13:53:34 | 00,400,384 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsxp32.dll
[2009/10/17 13:53:34 | 00,397,312 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxstiff.dll
[2009/10/17 13:53:34 | 00,267,776 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxssvc.exe
[2009/10/17 13:53:34 | 00,246,272 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxst30.dll
[2009/10/17 13:53:34 | 00,192,512 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxswzrd.dll
[2009/10/17 13:53:34 | 00,154,112 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsui.dll
[2009/10/17 13:53:34 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\freecell.exe
[2009/10/17 13:53:33 | 00,562,176 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsst.dll
[2009/10/17 13:53:33 | 00,031,744 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsroute.dll
[2009/10/17 13:53:33 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsmon.dll
[2009/10/17 13:53:33 | 00,023,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsext32.dll
[2009/10/17 13:53:33 | 00,011,264 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxssend.exe
[2009/10/17 13:53:33 | 00,008,704 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsperf.dll
[2009/10/17 13:53:33 | 00,006,656 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsres.dll
[2009/10/17 13:53:32 | 00,229,376 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxscover.exe
[2009/10/17 13:53:32 | 00,055,296 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsevent.dll
[2009/10/17 13:53:32 | 00,026,624 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsdrv.dll
[2009/10/17 13:53:31 | 00,285,184 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxscomex.dll
[2009/10/17 13:53:31 | 00,142,848 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsclnt.exe
[2009/10/17 13:53:31 | 00,132,608 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsclntR.dll
[2009/10/17 13:53:31 | 00,072,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxscom.dll
[2009/10/17 13:53:30 | 00,451,584 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxsapi.dll
[2009/10/17 13:53:30 | 00,111,104 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\fxscfgwz.dll
[2009/10/17 13:53:30 | 00,000,000 | ---D | C] -- C:\WINDOWS\LastGood.Tmp
[2009/10/17 13:45:14 | 00,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/11 14:18:02 | 00,005,095 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/11/11 14:09:38 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/11 14:09:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/11 14:08:57 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/11 14:08:42 | 53,482,7008 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/11 14:07:46 | 08,388,608 | ---- | M] () -- C:\Documents and Settings\Grainne\NTUSER.DAT
[2009/11/11 14:07:46 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Grainne\ntuser.ini
[2009/11/11 10:31:04 | 00,529,408 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Grainne\Desktop\OTL.exe
[2009/11/11 09:40:50 | 00,000,223 | ---- | M] () -- C:\Documents and Settings\Grainne\Desktop\Gullnet - Gulliver Ireland Extranet - LOGIN PAGE.url
[2009/11/02 13:05:42 | 00,001,857 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2009/10/29 16:03:07 | 00,000,286 | ---- | M] () -- C:\Documents and Settings\Grainne\Desktop\Goodbody Stockbrokers - Share Prices - ISEQ.url
[2009/10/29 15:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At40.job
[2009/10/29 14:00:03 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At39.job
[2009/10/29 13:00:04 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At38.job
[2009/10/28 18:00:02 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At43.job
[2009/10/28 18:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At19.job
[2009/10/28 17:00:03 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At42.job
[2009/10/28 17:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At18.job
[2009/10/28 16:00:03 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At41.job
[2009/10/28 15:03:54 | 00,029,696 | ---- | M] () -- C:\Documents and Settings\Grainne\My Documents\CYBC directions 2.doc
[2009/10/28 14:28:15 | 00,019,968 | ---- | M] () -- C:\Documents and Settings\Grainne\My Documents\CYBC directions.doc
[2009/10/27 12:00:05 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At37.job
[2009/10/26 21:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At46.job
[2009/10/26 20:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At45.job
[2009/10/26 20:00:00 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At21.job
[2009/10/26 19:00:02 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At44.job
[2009/10/26 19:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At20.job
[2009/10/26 13:25:37 | 00,000,671 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2009/10/26 13:11:46 | 00,000,344 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/10/26 13:11:45 | 00,000,322 | ---- | M] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/10/26 12:57:45 | 01,296,288 | ---- | M] (McAfee, Inc.) -- C:\Documents and Settings\Grainne\Desktop\DMSetup.exe
[2009/10/25 13:27:44 | 00,524,016 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/10/25 13:27:44 | 00,442,774 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/10/25 13:27:44 | 00,071,848 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/10/23 18:23:04 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Grainne\Application Data\seres.exe
[2009/10/22 15:04:06 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\Grainne\Desktop\settings.dat
[2009/10/22 15:03:20 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Grainne\Desktop\RootRepeal.exe
[2009/10/22 10:44:14 | 00,331,264 | ---- | M] () -- C:\Documents and Settings\Grainne\Desktop\dds.scr
[2009/10/20 16:31:39 | 00,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/20 16:29:17 | 02,205,456 | -H-- | M] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\IconCache.db
[2009/10/20 11:32:36 | 00,017,397 | ---- | M] () -- C:\Documents and Settings\Grainne\Desktop\222959.htm
[2009/10/20 10:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At36.job
[2009/10/20 09:00:03 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At35.job
[2009/10/20 08:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At34.job
[2009/10/20 07:00:02 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At9.job
[2009/10/20 07:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At33.job
[2009/10/20 06:00:02 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At8.job
[2009/10/20 06:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At32.job
[2009/10/20 05:00:02 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At7.job
[2009/10/20 05:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At31.job
[2009/10/20 04:00:05 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At6.job
[2009/10/20 03:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At5.job
[2009/10/20 02:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At4.job
[2009/10/20 00:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At2.job
[2009/10/19 22:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At48.job
[2009/10/19 21:00:01 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\At47.job
[2009/10/17 14:09:31 | 00,001,943 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/10/17 14:07:24 | 00,000,642 | ---- | M] () -- C:\Documents and Settings\Grainne\Desktop\Outlook Express.lnk
[2009/10/17 13:53:21 | 00,000,057 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2009/10/17 13:47:11 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/10/17 13:46:13 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/10/17 13:45:04 | 00,006,438 | ---- | M] () -- C:\Documents and Settings\Grainne\My Documents\bookmark.htm
[2009/10/16 19:36:12 | 00,001,829 | ---- | M] () -- C:\Documents and Settings\Grainne\Desktop\McAfee Virtual Technician.lnk
[2009/10/15 19:32:26 | 00,189,440 | ---- | M] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/10/14 08:46:38 | 00,000,124 | ---- | M] () -- C:\Documents and Settings\Grainne\Desktop\365.url
[6 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/11 14:08:42 | 53,482,7008 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/02 13:05:42 | 00,001,857 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2009/10/28 15:03:52 | 00,029,696 | ---- | C] () -- C:\Documents and Settings\Grainne\My Documents\CYBC directions 2.doc
[2009/10/28 14:28:14 | 00,019,968 | ---- | C] () -- C:\Documents and Settings\Grainne\My Documents\CYBC directions.doc
[2009/10/26 13:31:12 | 00,005,095 | ---- | C] () -- C:\WINDOWS\System32\Config.MPF
[2009/10/26 13:25:37 | 00,000,671 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\McAfee Security Center.lnk
[2009/10/26 13:11:46 | 00,000,344 | ---- | C] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/10/26 13:11:44 | 00,000,322 | ---- | C] () -- C:\WINDOWS\tasks\McQcTask.job
[2009/10/22 14:43:11 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\Grainne\Desktop\settings.dat
[2009/10/22 10:44:13 | 00,331,264 | ---- | C] () -- C:\Documents and Settings\Grainne\Desktop\dds.scr
[2009/10/20 16:31:39 | 00,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/10/20 11:32:35 | 00,017,397 | ---- | C] () -- C:\Documents and Settings\Grainne\Desktop\222959.htm
[2009/10/17 14:07:24 | 00,000,642 | ---- | C] () -- C:\Documents and Settings\Grainne\Desktop\Outlook Express.lnk
[2009/10/17 13:53:37 | 00,065,978 | ---- | C] () -- C:\WINDOWS\Soap Bubbles.bmp
[2009/10/17 13:53:37 | 00,065,954 | ---- | C] () -- C:\WINDOWS\Prairie Wind.bmp
[2009/10/17 13:53:37 | 00,065,832 | ---- | C] () -- C:\WINDOWS\Santa Fe Stucco.bmp
[2009/10/17 13:53:37 | 00,026,680 | ---- | C] () -- C:\WINDOWS\River Sumida.bmp
[2009/10/17 13:53:37 | 00,026,582 | ---- | C] () -- C:\WINDOWS\Greenstone.bmp
[2009/10/17 13:53:37 | 00,017,362 | ---- | C] () -- C:\WINDOWS\Rhododendron.bmp
[2009/10/17 13:53:37 | 00,017,336 | ---- | C] () -- C:\WINDOWS\Gone Fishing.bmp
[2009/10/17 13:53:37 | 00,017,062 | ---- | C] () -- C:\WINDOWS\Coffee Bean.bmp
[2009/10/17 13:53:37 | 00,016,730 | ---- | C] () -- C:\WINDOWS\FeatherTexture.bmp
[2009/10/17 13:53:37 | 00,009,522 | ---- | C] () -- C:\WINDOWS\Zapotec.bmp
[2009/10/17 13:53:37 | 00,001,272 | ---- | C] () -- C:\WINDOWS\Blue Lace 16.bmp
[2009/10/17 13:53:36 | 00,093,702 | ---- | C] () -- C:\WINDOWS\System32\subrange.uce
[2009/10/17 13:53:36 | 00,060,458 | ---- | C] () -- C:\WINDOWS\System32\ideograf.uce
[2009/10/17 13:53:36 | 00,024,006 | ---- | C] () -- C:\WINDOWS\System32\gb2312.uce
[2009/10/17 13:53:36 | 00,022,984 | ---- | C] () -- C:\WINDOWS\System32\bopomofo.uce
[2009/10/17 13:53:36 | 00,016,740 | ---- | C] () -- C:\WINDOWS\System32\shiftjis.uce
[2009/10/17 13:53:36 | 00,012,876 | ---- | C] () -- C:\WINDOWS\System32\korean.uce
[2009/10/17 13:53:36 | 00,008,484 | ---- | C] () -- C:\WINDOWS\System32\kanji_2.uce
[2009/10/17 13:53:36 | 00,006,948 | ---- | C] () -- C:\WINDOWS\System32\kanji_1.uce
[2009/10/17 13:53:33 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2009/10/17 13:53:31 | 00,001,361 | ---- | C] () -- C:\WINDOWS\System32\fxscount.h
[2009/10/17 13:46:13 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009/10/17 13:45:00 | 00,006,438 | ---- | C] () -- C:\Documents and Settings\Grainne\My Documents\bookmark.htm
[2009/10/16 19:36:12 | 00,001,829 | ---- | C] () -- C:\Documents and Settings\Grainne\Desktop\McAfee Virtual Technician.lnk
[2009/10/16 16:56:22 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Grainne\Application Data\seres.exe
[2009/10/02 14:17:23 | 00,018,946 | ---- | C] () -- C:\Program Files\Common Files\fufuv.pif
[2009/10/02 14:17:23 | 00,017,193 | ---- | C] () -- C:\Program Files\Common Files\ytyra.dat
[2009/10/02 14:17:23 | 00,013,570 | ---- | C] () -- C:\WINDOWS\yvyp.sys
[2009/10/02 08:54:08 | 00,012,145 | ---- | C] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\garifib.dll
[2009/10/02 08:54:07 | 00,019,015 | ---- | C] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\vomisu._dl
[2009/10/02 08:54:07 | 00,018,060 | ---- | C] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\wepax.dll
[2009/10/02 08:54:07 | 00,015,584 | ---- | C] () -- C:\Program Files\Common Files\hijemygaso.dat
[2009/09/25 12:44:48 | 00,000,014 | ---- | C] () -- C:\Documents and Settings\Grainne\Application Data\iniasd.txt
[2008/09/30 17:52:35 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\cygz.dll
[2008/09/30 17:52:35 | 00,007,196 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP_AAC.ini
[2008/09/30 17:52:35 | 00,006,490 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PSP.ini
[2008/09/30 17:52:35 | 00,005,028 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP2_AAC.ini
[2008/09/30 17:52:35 | 00,004,296 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_Zune.ini
[2008/09/30 17:52:35 | 00,003,045 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_iPod.ini
[2008/09/30 17:52:35 | 00,002,956 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PMP.ini
[2008/09/30 17:52:35 | 00,002,910 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP_AMR.ini
[2008/09/30 17:52:35 | 00,002,516 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PPC.ini
[2008/09/30 17:52:35 | 00,002,175 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_iPhone.ini
[2008/09/30 17:52:35 | 00,001,964 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP2_QVGA_AAC.ini
[2008/09/30 17:52:35 | 00,001,964 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP2_QCIF_AAC.ini
[2008/09/30 17:52:35 | 00,001,878 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_Xbox.ini
[2008/09/30 17:52:35 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QVGA_AMR.ini
[2008/09/30 17:52:35 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QVGA_AAC.ini
[2008/09/30 17:52:35 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QCIF_AMR.ini
[2008/09/30 17:52:35 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QCIF_AAC.ini
[2008/09/30 17:52:35 | 00,001,739 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_AppleTV.ini
[2008/09/30 17:52:35 | 00,000,036 | ---- | C] () -- C:\WINDOWS\System32\INI_Add_mfra.ini
[2008/09/30 17:52:30 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2008/03/27 11:54:00 | 00,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/03/27 11:45:37 | 00,000,025 | ---- | C] () -- C:\WINDOWS\CDE DX8400DEFGIPS.ini
[2007/07/03 19:40:21 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/11/08 08:58:58 | 00,021,808 | ---- | C] () -- C:\Documents and Settings\Grainne\Application Data\GDIPFONTCACHEV1.DAT
[2006/10/20 10:16:15 | 00,000,037 | ---- | C] () -- C:\WINDOWS\ipixActivex.ini
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/05/13 13:31:39 | 00,048,928 | ---- | C] () -- C:\WINDOWS\System32\drivers\Tetris.sys
[2006/05/13 13:31:08 | 00,162,432 | ---- | C] () -- C:\WINDOWS\System32\drivers\ithsgt.sys
[2006/05/13 13:31:08 | 00,012,032 | ---- | C] () -- C:\WINDOWS\System32\drivers\lilsgt.sys
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/01/23 17:42:40 | 00,000,036 | ---- | C] () -- C:\WINDOWS\Tiny_Run.ini
[2006/01/23 17:32:57 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2005/08/28 15:16:27 | 00,021,808 | ---- | C] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2005/08/14 16:15:15 | 00,150,240 | ---- | C] () -- C:\WINDOWS\System32\drivers\MLTCAP.sys
[2005/05/30 12:10:11 | 00,000,942 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2005/05/04 12:05:02 | 02,255,360 | ---- | C] () -- C:\WINDOWS\System32\libavcodec.dll
[2005/05/04 12:05:02 | 00,395,776 | ---- | C] () -- C:\WINDOWS\System32\libmplayer.dll
[2005/05/04 12:05:02 | 00,262,144 | ---- | C] () -- C:\WINDOWS\System32\TomsMoComp_ff.dll
[2005/05/04 12:05:02 | 00,112,640 | ---- | C] () -- C:\WINDOWS\System32\libmpeg2_ff.dll
[2005/05/02 16:16:23 | 00,011,690 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2005/05/02 15:24:18 | 00,000,056 | -HS- | C] () -- C:\WINDOWS\System32\D0A08AF5D6.sys
[2005/04/27 13:16:04 | 00,000,664 | ---- | C] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\FASTWiz.html
[2005/04/27 13:16:04 | 00,000,079 | ---- | C] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\FASTWiz.log
[2005/04/21 11:50:21 | 00,189,440 | ---- | C] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005/04/14 15:56:44 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/04/14 15:26:46 | 02,205,456 | -H-- | C] () -- C:\Documents and Settings\Grainne\Local Settings\Application Data\IconCache.db
[2005/04/14 15:26:46 | 00,000,062 | ---- | C] () -- C:\Documents and Settings\Grainne\Application Data\desktop.ini
[2005/04/12 16:10:46 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/04/12 16:09:18 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2005/04/12 15:51:36 | 00,000,276 | ---- | C] () -- C:\WINDOWS\System32\dlbtplc.ini
[2005/04/12 15:51:14 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/04/12 15:51:06 | 00,000,371 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004/10/26 22:39:05 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/09/15 20:54:36 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/10 12:12:05 | 00,000,780 | ---- | C] () -- C:\WINDOWS\orun32.ini
[2004/08/10 11:57:41 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2004/08/10 11:51:28 | 00,000,573 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/10 11:51:26 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/09/10 15:10:05 | 00,495,616 | ---- | C] () -- C:\WINDOWS\System32\xvid.dll
[2000/09/08 16:53:50 | 00,073,839 | ---- | C] () -- C:\WINDOWS\System32\KodakOneTouch.dll
< End of report >

#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 11 November 2009 - 10:28 AM

Hi,

could you please provide a log from gmer as well:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.


regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 grawns

grawns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 12 November 2009 - 09:35 AM

Hi there

I ended up running gmer a few times ( in both modes) and I'm fairly positive I got all the real time scanning etc. disabled (you see Mcafee is not working right so turning on and off options are missing). These attachments are from when I ran gmer in last known good configuration and the file size in notepad was too big to paste and too big too upload. I've attached 2 partial files leaving out the middle bit. Nothing is ever uncomplicated these days :(

Best Regards

Attached Files



#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 12 November 2009 - 09:39 AM

Hi,

that is one lovely collection of rootkits! Let's see if you can run ComboFix to get rid of the biggest mess:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • rename it to fun.exe
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 grawns

grawns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 12 November 2009 - 02:56 PM

I did as instructed ( not in safe mode) and I'm still not sure about mcafee real time status. I reviewed the help guide again and the options just aren't there on my console. Anyways after running the combofix and rebooting, neither internet explorer or Mozilla would work so I returned to safe mode to post this.
Here you go :(

ComboFix 09-11-11.02 - Grainne 12/11/2009 17:26.1.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.510.332 [GMT 0:00]
Running from: c:\documents and settings\Grainne\Desktop\fun.exe
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\bold.log
c:\documents and settings\Grainne\Application Data\iniasd.txt
c:\documents and settings\Grainne\Application Data\seres.exe
c:\documents and settings\LocalService\Application Data\tajogyduze.bat
c:\documents and settings\LocalService\Cookies\adade.ban
c:\documents and settings\LocalService\Cookies\anivo._dl
c:\documents and settings\LocalService\Cookies\izyxitumal.dat
c:\documents and settings\LocalService\Cookies\tubeboco.dl
c:\documents and settings\LocalService\Cookies\ulibu.com
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\eqowadox.vbs
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\kyduteb.com
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\uxat.pif
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1858
c:\recycler\S-1-5-21-4359285130-7574501240-134429497-3324
c:\recycler\S-1-5-21-6054449386-9336778036-802665941-6449
c:\recycler\S-1-5-21-9329746746-0516591536-953675384-9305
c:\windows\system32\drivers\str.sys
c:\windows\system32\drivers\ursqoheybdn.sys
c:\windows\system32\logs
c:\windows\system32\logs\{81BA7867-0F84-44A3-A8DA-D4310672B6E1}.log

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NYLUGT
-------\Service_gasfkydbrijdrm
-------\Service_nylugt


((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-12 17:35 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-02 13:05 . 2004-10-26 22:11 245408 ----a-w- c:\windows\system32\unicows.dll
2009-10-26 13:17 . 2008-04-14 00:12 23040 ----a-w- c:\windows\system32\psapi.dll
2009-10-26 13:12 . 2009-09-16 10:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-26 13:12 . 2009-09-16 10:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-26 13:12 . 2009-09-16 10:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-26 13:12 . 2009-09-16 10:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-26 13:12 . 2009-07-16 12:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-26 13:03 . 2009-09-16 10:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 19:22 . 2009-10-22 19:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-22 19:21 . 2009-10-22 19:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-21 09:15 . 2009-10-21 09:15 -------- d-----w- c:\program files\AVG
2009-10-20 16:31 . 2009-10-20 16:31 -------- d-----w- c:\documents and settings\Grainne\Application Data\Malwarebytes
2009-10-20 16:31 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 16:31 . 2009-10-21 09:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 16:31 . 2009-10-20 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 16:31 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 11:49 . 2009-10-20 11:49 -------- d-----w- C:\$AVG
2009-10-20 11:47 . 2009-10-21 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-20 11:31 . 2009-11-12 17:39 -------- d-----w- c:\windows\LastGood
2009-10-17 14:09 . 2009-10-17 14:09 -------- d-----w- c:\documents and settings\Grainne\Local Settings\Application Data\Mozilla
2009-10-16 19:37 . 2009-10-16 19:37 49152 ----a-r- c:\documents and settings\Grainne\Application Data\Microsoft\Installer\{49FA793C-785E-47E9-93DF-BD442B0B45D1}\Icon49FA793C.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-26 13:10 . 2005-09-26 09:26 -------- d-----w- c:\program files\McAfee
2009-10-16 17:01 . 2005-08-25 22:47 -------- d-----w- c:\documents and settings\Grainne\Application Data\Azureus
2009-10-15 16:29 . 2009-10-02 17:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-15 14:38 . 2005-08-25 22:46 -------- d-----w- c:\program files\Azureus
2009-10-09 08:40 . 2009-10-09 08:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 08:40 . 2005-04-12 16:04 -------- d-----w- c:\program files\Java
2009-10-09 08:39 . 2009-10-09 08:39 152576 ----a-w- c:\documents and settings\Grainne\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-06 13:14 . 2009-10-06 13:14 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-10-02 16:12 . 2005-09-26 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 16:11 . 2009-10-02 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-10-02 16:07 . 2009-10-02 16:06 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-02 16:07 . 2009-10-02 16:06 -------- d-----w- c:\program files\McAfee.com
2009-10-02 14:17 . 2009-10-02 14:17 18946 ----a-w- c:\program files\Common Files\fufuv.pif
2009-10-02 14:17 . 2009-10-02 14:17 17193 ----a-w- c:\program files\Common Files\ytyra.dat
2009-10-02 14:17 . 2009-10-02 14:17 14965 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\vusi.com
2009-10-02 14:17 . 2009-10-02 14:17 13570 ----a-w- c:\windows\yvyp.sys
2009-10-02 08:54 . 2009-10-02 08:54 12145 ----a-w- c:\documents and settings\Grainne\Local Settings\Application Data\garifib.dll
2009-10-02 08:54 . 2009-10-02 08:54 18060 ----a-w- c:\documents and settings\Grainne\Local Settings\Application Data\wepax.dll
2009-10-02 08:54 . 2009-10-02 08:54 15584 ----a-w- c:\program files\Common Files\hijemygaso.dat
2009-10-02 08:21 . 2009-10-02 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-10-02 08:18 . 2009-10-02 08:18 -------- d-----w- c:\program files\Citrix
2009-10-02 08:18 . 2009-10-02 08:18 61224 ----a-w- c:\documents and settings\Grainne\GoToAssistDownloadHelper.exe
2009-09-30 11:11 . 2007-09-02 09:28 288096 ----a-r- c:\documents and settings\Grainne\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-09-11 14:18 . 2004-08-10 11:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-10 11:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-10 11:51 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-10 11:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-10 11:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-10 11:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-19 16:27 . 2005-08-28 15:16 21808 -c--a-w- c:\documents and settings\Grainne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-05-03 21:00 . 2005-05-02 15:24 56 -csh--w- c:\windows\system32\D0A08AF5D6.sys
2006-02-18 17:37 . 2005-05-02 16:16 11690 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-09 149280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-05-04 278528]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49153:TCP"= 49153:TCP:Azureus
"49153:UDP"= 49153:UDP:Azureus
"53:UDP"= 53:UDP:Promo

R3 Tetris;Tetris driver;c:\windows\system32\drivers\Tetris.sys [13/05/2006 13:31 48928]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [02/10/2009 16:11 210216]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-26 12:22]

2009-10-26 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-26 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {D7325F9D-25C1-4169-9916-08435B44A722} = 62.231.32.10,62.231.32.11
FF - ProfilePath - c:\documents and settings\Grainne\Application Data\Mozilla\Firefox\Profiles\7j8u1j7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKU-Default-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-Desktop Weather by The Weather Channel - c:\progra~1\THEWEA~1\DESKTO~1\UNWISE.EXE
AddRemove-DVD Decrypter - c:\program files\DVD Decrypter\uninstall.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 17:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x83FA0F61]<<
kernel: MBR read successfully
user & kernel MBR OK
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

atapi.sys @ 0xF87E4000 0x17900 bytes

\Driver\atapi [ IRP_MJ_CREATE ] 0xF87EE6F2 != 0xF87EDB3A atapi.sys
\Driver\atapi [ IRP_MJ_CLOSE ] 0xF87EE6F2 != 0xF87EDB3A atapi.sys
\Driver\atapi [ IRP_MJ_DEVICE_CONTROL ] 0xF87EE712 != 0xF87EDB3A atapi.sys
\Driver\atapi [ IRP_MJ_INTERNAL_DEVICE_CONTROL ] 0xF87EA852 != 0xF87EDB3A atapi.sys
\Driver\atapi [ IRP_MJ_POWER ] 0xF87EE73C != 0xF87EDB3A atapi.sys
\Driver\atapi [ IRP_MJ_SYSTEM_CONTROL ] 0xF87F5336 != 0xF87EDB3A atapi.sys
\Driver\atapi IRP hooks detected !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3195390456-3017033181-1577977735-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(528)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(588)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(964)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Dell\OpenManage\Client\Iap.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-11-12 18:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 18:04

Pre-Run: 35,935,338,496 bytes free
Post-Run: 35,566,800,896 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - C8BD7EDB0651310939956F642CD10BCE

#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 12 November 2009 - 05:48 PM

Hi,

are you positive that you rebooted into normal mode. ComboFix believes it was run in safe mode with network support. This can happen, when malware tampers with normal mode.

I would like you to check for this as followed:
  • Download & extract this file to it's own folder: Registry Search
  • Launch Registry Search
  • In the search box, enter (on separate lines)
    OptionValue
    SAFEBOOT_OPTION
  • Under "Search", make sure only the "Value" box is checked in the first row of checkboxes.
    All other checkboxes should be checked as well.
  • click "Ok"
  • Notepad will open with some text in it (the file will also be saved in the program's folder as well).
Post this text in your next reply.

Please also run the following scan:
Please download SystemLook from jpshortstuff and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Double-click the SystemLook and copy/paste the following into the box
    :filefind
    atapi.*
  • Hit the Look button. Let it finish the scan
  • A log will then pop-up to your Desktop.. Post the content of the log here in your next reply
Did Combofix ask you to note down a couple of file names before restarting? If so, could you please provide them?

Please also run a new scan with gmer.

In your next reply I would like to see the log from registry search, the log from systemlook and the log from gmer.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 grawns

grawns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 13 November 2009 - 10:33 AM

Hi again

Combofix only mentioned c:\combofix.txt. When I rebooted to normal mode to run the new tests, mcaffee seemed to believe it was working so I was able to manually disable virusscan etc. this time.
Also when I connected to the Internet to post the logs , internet explorer failed and mozilla wouldn't launch so I rebooted to safe mode again.
Here are the logs you asked for "log from registry search, the log from systemlook and the log from gmer. " Happy Friday the 13th ( propbably a busy day for you guys :( )

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman 2005
; Version: 2.0.6.0

; Results at 13/11/2009 11:55:26 for strings:
; 'optionvalue'
; 'safeboot_option'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 11:58 on 13/11/2009 by Grainne (Administrator - Elevation successful)

========== filefind ==========

Searching for "atapi.*"
C:\cmdcons\ATAPI.SY_ --a--- 49558 bytes [22:59 03/08/2004] [22:59 03/08/2004] 28541D14647BB58502D09D1CEAEE6684
C:\dell\ATAPI.EXE --a--c 28672 bytes [15:50 12/04/2005] [07:23 27/05/2004] 9C559E4CF8C3B2268818F1F6C6B1EE39
C:\i386\atapi.sys --a--c 95360 bytes [18:32 15/04/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\$NtServicePackUninstall$\atapi.sys -----c 95360 bytes [10:33 11/09/2008] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\ERDNT\cache\atapi.sys --a--- 96512 bytes [17:59 12/11/2009] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\ServicePackFiles\i386\atapi.sys ------ 96512 bytes [15:21 27/08/2008] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\drivers\atapi.sys ------ 96512 bytes [21:59 03/08/2004] [18:40 13/04/2008] 9F3A2F5AA6875C72BF062C712CFA2674
C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys --a--c 95360 bytes [15:54 12/04/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51
C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys --a--c 95360 bytes [15:55 12/04/2005] [21:59 03/08/2004] CDFE4411A69C224BD1D11B2DA92DAC51

-=End Of File=-

GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-13 14:58:26
Windows 5.1.2600 Service Pack 3
Running: 753cdprk.exe; Driver: C:\DOCUME~1\Grainne\LOCALS~1\Temp\pxryqpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEFDDD78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEFDDD738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEFDDD74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEFDDD7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEFDDD710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEFDDD724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEFDDD79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEFDDD776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEFDDD762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEFDDD7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEFDDD7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEFDDD7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EFDDD7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP EFDDD78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP EFDDD766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP EFDDD714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP EFDDD7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP EFDDD7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP EFDDD7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EFDDD750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP EFDDD7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP EFDDD728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EFDDD73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP EFDDD77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF87F7780]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 0229000A
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02290075
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02290064
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02290047
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02290036
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02290FB9
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 022900C8
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 022900A1
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02290F40
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02290F5B
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02290F2F
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02290F94
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02290FE5
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02290086
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02290FD4
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02290025
.text C:\WINDOWS\Explorer.EXE[144] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 022900D9
.text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0228002C
.text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02280F8A
.text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0228001B
.text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02280FE5
.text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02280F9B
.text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02280000
.text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02280047
.text C:\WINDOWS\Explorer.EXE[144] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02280FB6
.text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02270FC8
.text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!system 77C293C7 5 Bytes JMP 02270FE3
.text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02270038
.text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0227000C
.text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02270053
.text C:\WINDOWS\Explorer.EXE[144] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0227001D
.text C:\WINDOWS\Explorer.EXE[144] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02250FE5
.text C:\WINDOWS\Explorer.EXE[144] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0225000A
.text C:\WINDOWS\Explorer.EXE[144] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02250FD4
.text C:\WINDOWS\Explorer.EXE[144] WININET.dll!InternetOpenUrlW 3D998439 3 Bytes JMP 02250FB9
.text C:\WINDOWS\Explorer.EXE[144] WININET.dll!InternetOpenUrlW + 4 3D99843D 1 Byte [C4]
.text C:\WINDOWS\Explorer.EXE[144] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02260000
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01410000
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01410093
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01410F9E
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01410FAF
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01410062
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01410FDB
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01410F72
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014100AE
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014100D5
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01410F3C
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01410F21
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01410FC0
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0141001B
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01410F83
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01410047
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01410036
.text C:\WINDOWS\system32\services.exe[584] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01410F57
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01070036
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0107006C
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0107001B
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01070000
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01070FA5
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01070FE5
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01070051
.text C:\WINDOWS\system32\services.exe[584] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01070FD4
.text C:\WINDOWS\system32\services.exe[584] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01060070
.text C:\WINDOWS\system32\services.exe[584] msvcrt.dll!system 77C293C7 5 Bytes JMP 01060055
.text C:\WINDOWS\system32\services.exe[584] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01060029
.text C:\WINDOWS\system32\services.exe[584] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01060000
.text C:\WINDOWS\system32\services.exe[584] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0106003A
.text C:\WINDOWS\system32\services.exe[584] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01060FEF
.text C:\WINDOWS\system32\services.exe[584] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\services.exe[584] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FE0FDE
.text C:\WINDOWS\system32\services.exe[584] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\services.exe[584] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FE0F9E
.text C:\WINDOWS\system32\services.exe[584] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01090FEF
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01090042
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01090F57
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01090F68
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01090025
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01090F9E
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01090070
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 0109005F
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01090EFC
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 0109008B
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 010900B0
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01090F83
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01090000
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 01090F28
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01090FAF
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01090FCA
.text C:\WINDOWS\system32\lsass.exe[596] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01090F0D
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 01080FB9
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 01080054
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 01080FD4
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 01080000
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 01080F8D
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 01080FEF
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 01080025
.text C:\WINDOWS\system32\lsass.exe[596] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 01080F9E
.text C:\WINDOWS\system32\lsass.exe[596] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0107003B
.text C:\WINDOWS\system32\lsass.exe[596] msvcrt.dll!system 77C293C7 5 Bytes JMP 01070016
.text C:\WINDOWS\system32\lsass.exe[596] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01070FC1
.text C:\WINDOWS\system32\lsass.exe[596] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01070FEF
.text C:\WINDOWS\system32\lsass.exe[596] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01070FA6
.text C:\WINDOWS\system32\lsass.exe[596] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01070FDE
.text C:\WINDOWS\system32\lsass.exe[596] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01060FE5
.text C:\WINDOWS\system32\lsass.exe[596] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01050000
.text C:\WINDOWS\system32\lsass.exe[596] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01050011
.text C:\WINDOWS\system32\lsass.exe[596] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01050FDB
.text C:\WINDOWS\system32\lsass.exe[596] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01050FC0
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 025C0000
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 025C00AB
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 025C0090
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 025C007F
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 025C0058
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 025C002C
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 025C0F63
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 025C0F74
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 025C00E1
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 025C0F48
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 025C0F23
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 025C0047
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 025C0FDB
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 025C0F9B
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 025C001B
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 025C0FCA
.text C:\WINDOWS\system32\svchost.exe[768] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 025C00C6
.text C:\WINDOWS\system32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 025B000A
.text C:\WINDOWS\system32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 025B0076
.text C:\WINDOWS\system32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 025B0FB9
.text C:\WINDOWS\system32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 025B0FD4
.text C:\WINDOWS\system32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 025B005B
.text C:\WINDOWS\system32\svchost.exe[768] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 025B0FEF
.text C:\WINDOWS\system32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 025B0036
.text C:\WINDOWS\system32\svchost.exe[768] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 025B0025
.text C:\WINDOWS\system32\svchost.exe[768] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 025A0FB7
.text C:\WINDOWS\system32\svchost.exe[768] msvcrt.dll!system 77C293C7 5 Bytes JMP 025A0FC8
.text C:\WINDOWS\system32\svchost.exe[768] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 025A002E
.text C:\WINDOWS\system32\svchost.exe[768] msvcrt.dll!_open 77C2F566 5 Bytes JMP 025A0000
.text C:\WINDOWS\system32\svchost.exe[768] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 025A0FE3
.text C:\WINDOWS\system32\svchost.exe[768] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 025A001D
.text C:\WINDOWS\system32\svchost.exe[768] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\svchost.exe[768] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\svchost.exe[768] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\svchost.exe[768] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\svchost.exe[768] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0259000A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00F30FEF
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00F30FA5
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00F3009A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00F30089
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00F30062
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00F30040
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00F30F66
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00F30F77
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F30F4B
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F300E4
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00F300FF
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00F30051
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00F3000A
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00F30F94
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00F30FCA
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00F3001B
.text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00F300D3
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00F20FCA
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00F20040
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00F20FDB
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00F2001B
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00F20F79
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00F2000A
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00F20F94
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [12, 89]
.text C:\WINDOWS\system32\svchost.exe[860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00F20FAF
.text C:\WINDOWS\system32\svchost.exe[860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00F10038
.text C:\WINDOWS\system32\svchost.exe[860] msvcrt.dll!system 77C293C7 5 Bytes JMP 00F10FAD
.text C:\WINDOWS\system32\svchost.exe[860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00F10FD2
.text C:\WINDOWS\system32\svchost.exe[860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00F10000
.text C:\WINDOWS\system32\svchost.exe[860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00F10027
.text C:\WINDOWS\system32\svchost.exe[860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00F10FE3
.text C:\WINDOWS\system32\svchost.exe[860] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00EF0FE5
.text C:\WINDOWS\system32\svchost.exe[860] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00EF0FD4
.text C:\WINDOWS\system32\svchost.exe[860] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00EF000A
.text C:\WINDOWS\system32\svchost.exe[860] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00EF001B
.text C:\WINDOWS\system32\svchost.exe[860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00F0000A
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02B20000
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02B20F4B
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02B20F66
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02B20F83
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02B20040
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02B20FAF
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02B20082
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02B20F3A
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02B200C9
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02B200A4
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02B20F15
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02B20F94
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02B2001B
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02B2005B
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02B20FCA
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02B20FE5
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02B20093
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02AD001B
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02AD0058
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02AD0FCA
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02AD0000
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02AD0047
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02AD0FEF
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02AD0F9B
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CD, 8A] {INT 0x8a}
.text C:\WINDOWS\System32\svchost.exe[900] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02AD002C
.text C:\WINDOWS\System32\svchost.exe[900] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02AC0FB7
.text C:\WINDOWS\System32\svchost.exe[900] msvcrt.dll!system 77C293C7 5 Bytes JMP 02AC0038
.text C:\WINDOWS\System32\svchost.exe[900] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02AC001D
.text C:\WINDOWS\System32\svchost.exe[900] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02AC0000
.text C:\WINDOWS\System32\svchost.exe[900] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02AC0FC8
.text C:\WINDOWS\System32\svchost.exe[900] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02AC0FE3
.text C:\WINDOWS\System32\svchost.exe[900] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02AA0000
.text C:\WINDOWS\System32\svchost.exe[900] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02AA0011
.text C:\WINDOWS\System32\svchost.exe[900] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02AA0FDB
.text C:\WINDOWS\System32\svchost.exe[900] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02AA002C
.text C:\WINDOWS\System32\svchost.exe[900] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02AB0FEF
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80FE5
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A80F4D
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A8004C
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A8002F
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80F72
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A80F9E
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A80078
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80F26
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A800B5
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A800A4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80F0B
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80F8D
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80FD4
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A8005D
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A80FB9
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A80093
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A7003D
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A70F9B
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A7002C
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A7001B
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A70058
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A70000
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00A70FB6
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [C7, 88]
.text C:\WINDOWS\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A70FC7
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A6003B
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A60FB0
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60FC1
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FEF
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60020
.text C:\WINDOWS\system32\svchost.exe[948] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60FD2
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00A40FEF
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00A40025
.text C:\WINDOWS\system32\svchost.exe[948] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00A4004A
.text C:\WINDOWS\system32\svchost.exe[948] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009F0000
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009F0089
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009F0F94
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009F006E
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009F0051
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009F0036
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009F00C8
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009F00AB
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009F0108
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009F0F65
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009F0F54
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009F0FA5
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009F009A
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009F0025
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009F00D9
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009E0FC3
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009E0065
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009E0FD4
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009E000A
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009E0FA8
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009E0FEF
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009E0054
.text C:\WINDOWS\system32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009E0039
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009D0FCD
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!system 77C293C7 5 Bytes JMP 009D004E
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009D0018
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009D0FEF
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009D003D
.text C:\WINDOWS\system32\svchost.exe[1060] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009D0FDE
.text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 009B001B
.text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 009B0FDB
.text C:\WINDOWS\system32\svchost.exe[1060] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 009B0036
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009C0FEF
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A50FEF
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A50F9E
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A50093
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A50FB9
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A50076
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A5005B
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A500AE
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A50F66
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A500F5
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A500DA
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A50F41
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A50FD4
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A50014
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A50F8D
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A5004A
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A5002F
.text C:\WINDOWS\system32\svchost.exe[1248] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A500C9
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00960FB6
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00960F6F
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00960011
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00960000
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00960F8A
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00960FE5
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00960022
.text C:\WINDOWS\system32\svchost.exe[1248] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00960F9B
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00950042
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!system 77C293C7 5 Bytes JMP 00950027
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00950FD2
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0095000C
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00950FB7
.text C:\WINDOWS\system32\svchost.exe[1248] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00950FE3
.text C:\WINDOWS\system32\svchost.exe[1248] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1248] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00930FE5
.text C:\WINDOWS\system32\svchost.exe[1248] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1248] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00930036
.text C:\WINDOWS\system32\svchost.exe[1248] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00940000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1504] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1504] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00DB0000
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00DB00BA
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00DB00A9
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00DB0098
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00DB007D
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DB006C
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00DB00D7
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00DB0F8F
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00DB0F63
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00DB0F74
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00DB0121
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00DB0FE5
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00DB0011
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00DB0FA0
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00DB0051
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00DB002C
.text C:\WINDOWS\system32\svchost.exe[1848] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00DB00E8
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00DA0FD4
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00DA005B
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00DA0FE5
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00DA001B
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00DA0F9E
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00DA0000
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00DA0040
.text C:\WINDOWS\system32\svchost.exe[1848] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00DA0FB9
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D90062
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D9003D
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D9002C
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D90000
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D90FCD
.text C:\WINDOWS\system32\svchost.exe[1848] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D90011
.text C:\WINDOWS\system32\svchost.exe[1848] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00D8000A
.text C:\WINDOWS\system32\svchost.exe[1848] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00D8001B
.text C:\WINDOWS\system32\svchost.exe[1848] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00D80FE5
.text C:\WINDOWS\system32\svchost.exe[1848] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00D80036

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\atapi \Device\Ide\IdePort0 [F87EAB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F87EAB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdePort1 [F87EAB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F87EAB3A] atapi.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm@start 4
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#13 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 15 November 2009 - 05:53 PM

Hi,

please run the following Combofix script for me: (Please download a fresh copy of Combofix and place it on your desktop to follow these instructions)

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\Common Files\fufuv.pif
c:\program files\Common Files\ytyra.dat
c:\documents and settings\LocalService\Local Settings\Application Data\vusi.com
c:\windows\yvyp.sys
c:\documents and settings\Grainne\Local Settings\Application Data\garifib.dll
c:\documents and settings\Grainne\Local Settings\Application Data\wepax.dll
c:\program files\Common Files\hijemygaso.dat

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Please also include a new gmer log.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#14 grawns

grawns
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:04:08 AM

Posted 16 November 2009 - 03:56 PM

Hi Myrti

As usual I am posting from safe mode but ran the test in normal.
Combofix rebooted at the start as it detected bad rootkit activity. Here's the log from C:\combofix.txt followed by gmer. :(

ComboFix 09-11-16.05 - Grainne 16/11/2009 20:28.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.353.1033.18.510.220 [GMT 0:00]
Running from: c:\documents and settings\Grainne\Desktop\Funfix.exe
Command switches used :: c:\documents and settings\Grainne\Desktop\CFscript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\Grainne\Local Settings\Application Data\garifib.dll"
"c:\documents and settings\Grainne\Local Settings\Application Data\wepax.dll"
"c:\documents and settings\LocalService\Local Settings\Application Data\vusi.com"
"c:\program files\Common Files\fufuv.pif"
"c:\program files\Common Files\hijemygaso.dat"
"c:\program files\Common Files\ytyra.dat"
"c:\windows\yvyp.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Grainne\Local Settings\Application Data\garifib.dll
c:\documents and settings\Grainne\Local Settings\Application Data\wepax.dll
c:\documents and settings\LocalService\Local Settings\Application Data\vusi.com
c:\program files\Common Files\fufuv.pif
c:\program files\Common Files\hijemygaso.dat
c:\program files\Common Files\ytyra.dat
c:\windows\yvyp.sys

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-16 to 2009-11-16 )))))))))))))))))))))))))))))))
.

2009-11-12 17:35 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-02 13:05 . 2004-10-26 22:11 245408 ----a-w- c:\windows\system32\unicows.dll
2009-10-26 13:17 . 2008-04-14 00:12 23040 ----a-w- c:\windows\system32\psapi.dll
2009-10-26 13:12 . 2009-09-16 10:22 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-10-26 13:12 . 2009-09-16 10:22 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-10-26 13:12 . 2009-09-16 10:22 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-10-26 13:12 . 2009-09-16 10:22 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-10-26 13:12 . 2009-07-16 12:32 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-10-26 13:03 . 2009-09-16 10:22 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-10-22 19:22 . 2009-10-22 19:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-10-22 19:21 . 2009-10-22 19:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-10-21 09:15 . 2009-10-21 09:15 -------- d-----w- c:\program files\AVG
2009-10-20 16:31 . 2009-10-20 16:31 -------- d-----w- c:\documents and settings\Grainne\Application Data\Malwarebytes
2009-10-20 16:31 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-20 16:31 . 2009-10-21 09:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-20 16:31 . 2009-10-20 16:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-20 16:31 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-20 11:49 . 2009-10-20 11:49 -------- d-----w- C:\$AVG
2009-10-20 11:47 . 2009-10-21 09:15 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 09:27 . 2005-08-25 22:47 -------- d-----w- c:\documents and settings\Grainne\Application Data\Azureus
2009-10-26 13:10 . 2005-09-26 09:26 -------- d-----w- c:\program files\McAfee
2009-10-16 19:37 . 2009-10-16 19:37 49152 ----a-r- c:\documents and settings\Grainne\Application Data\Microsoft\Installer\{49FA793C-785E-47E9-93DF-BD442B0B45D1}\Icon49FA793C.exe
2009-10-15 16:29 . 2009-10-02 17:54 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-10-15 14:38 . 2005-08-25 22:46 -------- d-----w- c:\program files\Azureus
2009-10-09 08:40 . 2009-10-09 08:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-09 08:40 . 2005-04-12 16:04 -------- d-----w- c:\program files\Java
2009-10-09 08:39 . 2009-10-09 08:39 152576 ----a-w- c:\documents and settings\Grainne\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-06 13:14 . 2009-10-06 13:14 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SACore
2009-10-02 16:12 . 2005-09-26 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-10-02 16:11 . 2009-10-02 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-10-02 16:07 . 2009-10-02 16:06 -------- d-----w- c:\program files\Common Files\McAfee
2009-10-02 16:07 . 2009-10-02 16:06 -------- d-----w- c:\program files\McAfee.com
2009-10-02 08:21 . 2009-10-02 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Citrix
2009-10-02 08:18 . 2009-10-02 08:18 -------- d-----w- c:\program files\Citrix
2009-10-02 08:18 . 2009-10-02 08:18 61224 ----a-w- c:\documents and settings\Grainne\GoToAssistDownloadHelper.exe
2009-09-30 11:11 . 2007-09-02 09:28 288096 ----a-r- c:\documents and settings\Grainne\Application Data\McAfee\Supportability\MVTLogs\Results\detect.dll
2009-09-11 14:18 . 2004-08-10 11:51 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2004-08-10 11:51 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2004-08-10 11:51 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2004-08-10 11:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2004-08-10 11:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2004-08-10 11:51 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-19 16:27 . 2005-08-28 15:16 21808 -c--a-w- c:\documents and settings\Grainne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-05-03 21:00 . 2005-05-02 15:24 56 -csh--w- c:\windows\system32\D0A08AF5D6.sys
2006-02-18 17:37 . 2005-05-02 16:16 11690 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-11-12_17.54.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-16 20:26 . 2009-11-16 20:26 16384 c:\windows\Temp\Perflib_Perfdata_520.dat
+ 2005-05-26 03:16 . 2009-08-06 19:24 44768 c:\windows\system32\wups2.dll
+ 2005-04-14 20:29 . 2009-08-06 19:24 35552 c:\windows\system32\wups.dll
+ 2004-08-10 12:02 . 2009-08-06 19:24 53472 c:\windows\system32\wuauclt.exe
+ 2009-11-13 15:12 . 2009-08-06 19:24 44768 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.4.7600.226\wups2.dll
+ 2009-11-13 15:12 . 2009-08-06 19:24 35552 c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.4.7600.226\wups.dll
+ 2005-04-14 20:29 . 2009-08-06 19:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2004-08-10 12:02 . 2009-08-06 19:24 53472 c:\windows\system32\dllcache\wuauclt.exe
+ 2004-08-10 11:50 . 2009-08-06 19:24 96480 c:\windows\system32\dllcache\cdm.dll
+ 2004-08-03 21:59 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
- 2005-04-14 15:21 . 2009-11-12 17:42 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-04-14 15:21 . 2009-11-16 20:15 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-04-14 15:21 . 2009-11-16 20:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-04-14 15:21 . 2009-11-12 17:42 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-10 11:50 . 2009-08-06 19:24 96480 c:\windows\system32\cdm.dll
+ 2004-08-10 12:02 . 2009-08-06 19:24 209632 c:\windows\system32\wuweb.dll
+ 2004-08-10 12:02 . 2009-08-06 19:24 327896 c:\windows\system32\wucltui.dll
+ 2004-08-10 12:02 . 2009-08-06 19:23 575704 c:\windows\system32\wuapi.dll
- 2004-08-10 11:57 . 2009-08-15 02:37 134072 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-10 11:57 . 2009-11-13 11:51 134072 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-10 12:02 . 2009-08-06 19:24 209632 c:\windows\system32\dllcache\wuweb.dll
+ 2004-08-10 12:02 . 2009-08-06 19:24 327896 c:\windows\system32\dllcache\wucltui.dll
+ 2004-08-10 12:02 . 2009-08-06 19:23 575704 c:\windows\system32\dllcache\wuapi.dll
+ 2009-11-13 11:45 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB976749-IE7\spuninst\updspapi.dll
+ 2009-11-13 11:45 . 2009-05-26 11:40 231288 c:\windows\ie7updates\KB976749-IE7\spuninst\spuninst.exe
+ 2004-08-10 12:02 . 2009-08-06 19:23 1929952 c:\windows\system32\wuaueng.dll
+ 2004-08-10 11:51 . 2009-08-14 13:21 1850624 c:\windows\system32\win32k.sys
+ 2004-08-10 11:51 . 2009-10-21 04:08 3598336 c:\windows\system32\mshtml.dll
- 2004-08-10 11:51 . 2009-08-29 07:36 3598336 c:\windows\system32\mshtml.dll
+ 2004-08-10 12:02 . 2009-08-06 19:23 1929952 c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-15 10:56 . 2009-08-14 13:21 1850624 c:\windows\system32\dllcache\win32k.sys
- 2004-08-10 11:51 . 2009-08-29 07:36 3598336 c:\windows\system32\dllcache\mshtml.dll
+ 2004-08-10 11:51 . 2009-10-21 04:08 3598336 c:\windows\system32\dllcache\mshtml.dll
+ 2009-11-13 11:45 . 2009-08-29 07:36 3598336 c:\windows\ie7updates\KB976749-IE7\mshtml.dll
+ 2005-05-11 16:27 . 2009-11-05 17:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-09 149280]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2005-05-04 278528]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49153:TCP"= 49153:TCP:Azureus
"49153:UDP"= 49153:UDP:Azureus

R3 Tetris;Tetris driver;c:\windows\system32\drivers\Tetris.sys [13/05/2006 13:31 48928]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [02/10/2009 16:11 210216]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-26 12:22]

2009-10-26 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-26 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.euro.dell.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: {D7325F9D-25C1-4169-9916-08435B44A722} = 62.231.32.10,62.231.32.11
FF - ProfilePath - c:\documents and settings\Grainne\Application Data\Mozilla\Firefox\Profiles\7j8u1j7s.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-16 20:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3195390456-3017033181-1577977735-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-11-16 20:43
ComboFix-quarantined-files.txt 2009-11-16 20:42
ComboFix2.txt 2009-11-12 18:04

Pre-Run: 35,529,703,424 bytes free
Post-Run: 35,477,254,144 bytes free

- - End Of File - - 3C900585581DE21E9C95A1922670CAA7


GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-16 20:51:32
Windows 5.1.2600 Service Pack 3
Running: 753cdprk.exe; Driver: C:\DOCUME~1\Grainne\LOCALS~1\Temp\pxryqpow.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xEFC3D78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xEFC3D738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xEFC3D74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xEFC3D7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xEFC3D710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xEFC3D724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xEFC3D79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xEFC3D776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xEFC3D762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xEFC3D7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xEFC3D7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xEFC3D7B4]
Code \??\C:\DOCUME~1\Grainne\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution 804F0EA6 7 Bytes JMP EFC3D7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtCreateFile 8056F600 5 Bytes JMP EFC3D78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtSetInformationProcess 80570441 5 Bytes JMP EFC3D766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenProcess 805741D0 5 Bytes JMP EFC3D714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwProtectVirtualMemory 8057457F 7 Bytes JMP EFC3D7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwUnmapViewOfSection 80578606 5 Bytes JMP EFC3D7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtMapViewOfSection 80578A81 7 Bytes JMP EFC3D7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80581030 7 Bytes JMP EFC3D750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwTerminateProcess 805836B0 5 Bytes JMP EFC3D7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!NtOpenThread 8058B58D 5 Bytes JMP EFC3D728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwCreateProcess 805B136A 5 Bytes JMP EFC3D73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntoskrnl.exe!ZwSetContextThread 8062DD47 5 Bytes JMP EFC3D77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
? C:\DOCUME~1\Grainne\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007C0000
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007C0F6D
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007C0F7E
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007C0F8F
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007C0058
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007C0FC7
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007C0F52
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007C008E
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007C00C6
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007C0F2D
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007C0F08
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007C0FB6
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007C0011
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007C007D
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007C003D
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007C0022
.text C:\WINDOWS\system32\services.exe[568] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007C00B5
.text C:\WINDOWS\system32\services.exe[568] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070022
.text C:\WINDOWS\system32\services.exe[568] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[568] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070011
.text C:\WINDOWS\system32\services.exe[568] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070000
.text C:\WINDOWS\system32\services.exe[568] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[568] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[568] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[568] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [27, 88]
.text C:\WINDOWS\system32\services.exe[568] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070FB6
.text C:\WINDOWS\system32\services.exe[568] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F97
.text C:\WINDOWS\system32\services.exe[568] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060FB2
.text C:\WINDOWS\system32\services.exe[568] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[568] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0006000C
.text C:\WINDOWS\system32\services.exe[568] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[568] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[568] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EF0FEF
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EF0054
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EF0043
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EF0028
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EF0F6B
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EF0FA1
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EF0F0C
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EF0F1D
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EF0083
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EF0EEA
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EF009E
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EF0F7C
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EF0FDE
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EF0F44
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EF0FB2
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EF0FCD
.text C:\WINDOWS\system32\lsass.exe[580] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EF0EFB
.text C:\WINDOWS\system32\lsass.exe[580] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00EE0FA8
.text C:\WINDOWS\system32\lsass.exe[580] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00EE0040
.text C:\WINDOWS\system32\lsass.exe[580] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00EE0FC3
.text C:\WINDOWS\system32\lsass.exe[580] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00EE0FDE
.text C:\WINDOWS\system32\lsass.exe[580] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00EE0025
.text C:\WINDOWS\system32\lsass.exe[580] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\lsass.exe[580] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00EE0014
.text C:\WINDOWS\system32\lsass.exe[580] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00EE0F97
.text C:\WINDOWS\system32\lsass.exe[580] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00ED0FA6
.text C:\WINDOWS\system32\lsass.exe[580] msvcrt.dll!system 77C293C7 5 Bytes JMP 00ED0FB7
.text C:\WINDOWS\system32\lsass.exe[580] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00ED000C
.text C:\WINDOWS\system32\lsass.exe[580] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00ED0FE3
.text C:\WINDOWS\system32\lsass.exe[580] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00ED0027
.text C:\WINDOWS\system32\lsass.exe[580] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00ED0FD2
.text C:\WINDOWS\system32\lsass.exe[580] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C80FEF
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C80F6D
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C8006C
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C80F9E
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C8005B
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C8004A
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C800A9
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C80098
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C80F2B
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C80F46
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C800DF
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C80FB9
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C80FDE
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C8007D
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C80025
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C80014
.text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C800C4
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C70040
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C70F94
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C7002F
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C70FEF
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C70051
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C70000
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00C70FB9
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [E7, 88] {OUT 0x88, EAX}
.text C:\WINDOWS\system32\svchost.exe[748] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C70FCA
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C60FCA
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C60055
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C60033
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C60FEF
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C60044
.text C:\WINDOWS\system32\svchost.exe[748] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C60018
.text C:\WINDOWS\system32\svchost.exe[748] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C50FE5
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BE0FEF
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BE0065
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BE0F66
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BE0F83
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BE0F94
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BE002F
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BE0F24
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BE0076
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BE00BD
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BE00A2
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BE0F13
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BE0040
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BE0FDE
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BE0F4B
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BE0FC3
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BE0014
.text C:\WINDOWS\system32\svchost.exe[832] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BE0091
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00BD0FC0
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00BD0FE5
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00BD0F79
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00BD0F8A
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [DD, 88]
.text C:\WINDOWS\system32\svchost.exe[832] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00BD0FA5
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00BC0049
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!system 77C293C7 5 Bytes JMP 00BC0038
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00BC0FD2
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00BC0FE3
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00BC0027
.text C:\WINDOWS\system32\svchost.exe[832] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00BC0000
.text C:\WINDOWS\system32\svchost.exe[832] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00BB0000
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02FF0FEF
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02FF0F5F
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02FF0F7A
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02FF0054
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02FF0FA1
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02FF0FCD
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02FF0080
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02FF006F
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02FF0EF8
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02FF0091
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02FF00AC
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02FF0FB2
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02FF0FDE
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02FF0F44
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02FF002F
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02FF0014
.text C:\WINDOWS\System32\svchost.exe[868] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02FF0F1D
.text C:\WINDOWS\System32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02FE0036
.text C:\WINDOWS\System32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02FE0FA8
.text C:\WINDOWS\System32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02FE0025
.text C:\WINDOWS\System32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02FE0FEF
.text C:\WINDOWS\System32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02FE005B
.text C:\WINDOWS\System32\svchost.exe[868] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02FE0000
.text C:\WINDOWS\System32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 02FE0FB9
.text C:\WINDOWS\System32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [1E, 8B]
.text C:\WINDOWS\System32\svchost.exe[868] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02FE0FD4
.text C:\WINDOWS\System32\svchost.exe[868] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0297003D
.text C:\WINDOWS\System32\svchost.exe[868] msvcrt.dll!system 77C293C7 5 Bytes JMP 02970022
.text C:\WINDOWS\System32\svchost.exe[868] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02970FBC
.text C:\WINDOWS\System32\svchost.exe[868] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02970FE3
.text C:\WINDOWS\System32\svchost.exe[868] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02970011
.text C:\WINDOWS\System32\svchost.exe[868] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02970000
.text C:\WINDOWS\System32\svchost.exe[868] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02960FEF
.text C:\WINDOWS\System32\svchost.exe[868] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02870FEF
.text C:\WINDOWS\System32\svchost.exe[868] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02870FD4
.text C:\WINDOWS\System32\svchost.exe[868] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02870014
.text C:\WINDOWS\System32\svchost.exe[868] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02870025
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00760000
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00760093
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00760078
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0076005B
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00760F9E
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00760FCA
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007600DC
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007600BF
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00760F65
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00760108
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00760119
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00760FAF
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00760FE5
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007600A4
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00760036
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0076001B
.text C:\WINDOWS\system32\svchost.exe[912] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007600F7
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00750039
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00750F9E
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00750FDE
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00750FEF
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0075005B
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0075000A
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0075004A
.text C:\WINDOWS\system32\svchost.exe[912] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00750FCD
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00740F77
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!system 77C293C7 5 Bytes JMP 00740F9C
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0074000C
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00740FEF
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00740FAD
.text C:\WINDOWS\system32\svchost.exe[912] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00740FD2
.text C:\WINDOWS\system32\svchost.exe[912] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00730FEF
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 009B0FEF
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 009B006F
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 009B0F70
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 009B0F81
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 009B004A
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 009B0FC3
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 009B00A7
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 009B0096
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009B0F33
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009B0F4E
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 009B0F22
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 009B0FA8
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 009B0FD4
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 009B0F5F
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 009B0025
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 009B000A
.text C:\WINDOWS\system32\svchost.exe[972] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 009B00CC
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009A0FB2
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009A0F72
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009A0FC3
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009A0FD4
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009A0039
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009A0FE5
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 009A0F97
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [BA, 88]
.text C:\WINDOWS\system32\svchost.exe[972] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009A001E
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00990049
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!system 77C293C7 5 Bytes JMP 0099002E
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00990FD2
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00990FEF
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0099001D
.text C:\WINDOWS\system32\svchost.exe[972] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0099000C
.text C:\WINDOWS\system32\svchost.exe[972] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00980000
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80054
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80F69
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80F86
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80F97
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B80FA8
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F33
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B8006F
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B80EEC
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80EFD
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B80EDB
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B80039
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B80F44
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80FB9
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80FCA
.text C:\WINDOWS\system32\svchost.exe[1236] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B80F0E
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0093003D
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093006C
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0093002C
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0093001B
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00930FA5
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930000
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FCA
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1236] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00930FDB
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920040
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920FAB
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920FEF
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0092001B
.text C:\WINDOWS\system32\svchost.exe[1236] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FC6
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00900FE5
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[1236] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00900014
.text C:\WINDOWS\system32\svchost.exe[1236] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1412] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1412] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B90FEF
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B90093
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B90082
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B90067
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B90040
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B90FAF
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B90F52
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B900A4
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B900D0
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B900BF
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B90F1C
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B90F9E
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B90014
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B90F79
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B90FCA
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B90025
.text C:\WINDOWS\system32\svchost.exe[1716] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B90F41
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B80036
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B80091
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B80FE5
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B8001B
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B8006C
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B80051
.text C:\WINDOWS\system32\svchost.exe[1716] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B80FCA
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B70053
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B70FC8
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B70FE3
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B70038
.text C:\WINDOWS\system32\svchost.exe[1716] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B7001D
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0000
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A00A7
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A008C
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0FB2
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A006F
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FC3
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A00E4
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A00D3
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A012B
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A011A
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0F81
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0054
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FE5
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A00C2
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A002F
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\explorer.exe[2976] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00FF
.text C:\WINDOWS\explorer.exe[2976] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290040
.text C:\WINDOWS\explorer.exe[2976] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290080
.text C:\WINDOWS\explorer.exe[2976] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0029002F
.text C:\WINDOWS\explorer.exe[2976] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[2976] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290FB9
.text C:\WINDOWS\explorer.exe[2976] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290000
.text C:\WINDOWS\explorer.exe[2976] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0029005B
.text C:\WINDOWS\explorer.exe[2976] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FD4
.text C:\WINDOWS\explorer.exe[2976] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FA1
.text C:\WINDOWS\explorer.exe[2976] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A002C
.text C:\WINDOWS\explorer.exe[2976] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FC6
.text C:\WINDOWS\explorer.exe[2976] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\explorer.exe[2976] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A001B
.text C:\WINDOWS\explorer.exe[2976] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\explorer.exe[2976] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 002C0000
.text C:\WINDOWS\explorer.exe[2976] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 002C0FDB
.text C:\WINDOWS\explorer.exe[2976] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 002C0011
.text C:\WINDOWS\explorer.exe[2976] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 002C0FB6
.text C:\WINDOWS\explorer.exe[2976] WS2_32.dll!socket 71AB4211 5 Bytes JMP 017B0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat EEA8AD20

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm@start 4
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm@start 1
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm@type 1
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm@group file system
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm@imagepath \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main@aid 20124
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main@sid 0
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main\injector@* gasfkywsp8.dll
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkynnsirbad.sys
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkycmd.dll \systemroot\system32\gasfkyscnjnqhp.dll
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkylog.dat \systemroot\system32\gasfkydcqdlylt.dat
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkywsp.dll \systemroot\system32\gasfkymxtsxxrx.dll
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfky.dat \systemroot\system32\gasfkybnyrsbqh.dat
Reg HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm\modules@gasfkywsp8.dll \systemroot\system32\gasfkypfvnylqp.dll

---- EOF - GMER 1.0.15 ----

#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:11:08 AM

Posted 18 November 2009 - 11:54 AM

Hi,

the logs are looking promising, can you tell me how your PC is behaving in normal mode now? Are you still having issues? How is your PC holding up in safe mode?

Open Notepad and copy/paste the code box below into a new text file.
@echo off

echo old permissions > "%temp%\look.txt"
swreg acl HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm >> "%temp%\look.txt"
swreg acl HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet002\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet003\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet004\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet005\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet006\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet007\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet008\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet009\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet010\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet011\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet012\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet013\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet014\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet015\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet016\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet017\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet018\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet019\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet020\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet021\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet022\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet023\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet024\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet025\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet026\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet027\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet028\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet029\Services\gasfkydbrijdrm /reset
swreg acl HKLM\SYSTEM\ControlSet030\Services\gasfkydbrijdrm /reset

echo.  >>%temp%\look.txt
echo new permissions >>%temp%\look.txt
swreg acl HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm >> "%temp%\look.txt"

echo.  >>%temp%\look.txt
echo controlsets >>%temp%\look.txt
swreg query HKLM\System\select >> "%temp%\look.txt"

"%temp%\look.txt"
  • Save the file as permissions.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "permissions.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
  • It will open a text file, please copy the content in your next reply.
Please save the content of that file to a location of your choice, before rebooting.

After that please reboot a couple of times. (3-4 times should suffice) Afterwards finally please run gmer again:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

As well as the following batch:
Open Notepad and copy/paste the code box below into a new text file.
@echo off
swreg acl HKLM\SYSTEM\ControlSet001\Services\gasfkydbrijdrm > "%temp%\look2.txt"
swreg query HKLM\System\select >> "%temp%\look2.txt"
swreg query HKLM\System >>"%temp%\look2.txt"
"%temp%\look2.txt"
  • Save the file as regquery.bat by choosing save as *All Files, and save it to your Desktop.
  • Locate "regquery.bat" and double-click on it to run. (It is important that you run the script from the drive where your operating system is installed).
  • It will open a text file, please copy the content in your next reply.
In your next reply I would like to see the logs from permissions.bat, regquery.bat and gmer.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users