Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

browser redirect


  • This topic is locked This topic is locked
22 replies to this topic

#1 notthecraw

notthecraw

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 12 November 2009 - 02:43 AM

I seem to have a common search engine redirect virus.

I typically use Yahoo! so that's where I noticed the problem.

To be perfectly clear, when using the search engine, a list of results displays correctly. However, upon selecting a link from the list, the browser redirects to various ad pages. I've noticed a "curly-que" momentarily appearing in the address bar where the page icon (often iexplore icon) shows just to the left of the URL whenever this happens.

Often after three or four tries, I get the desired site. Occasionally a window pops up indicating that a virus is present and everything freezes except a running count on the window itself seemingly indicating how many files are being infected, but I am not sure; I restart hard as soon as I see this message and have not been able to get a print-screen of it yet.

Here is the DDS file as requested. I've downloaded the ComboFix file but have not run it as I saw in a previous post to wait until requested. Thank you for your help. ~Dan

___

DDS (Ver_09-10-26.01) - NTFSx86
Run by daniel at 23:17:05.56 on Wed 11/11/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1025 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\AMT\UNS.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
X:\computer\downloads\virus\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://groups.yahoo.com/group/solid_rock_climbers/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [GoToMeeting] c:\program files\citrix\gotomeeting\320\g2mstart.exe "/Trigger RunAtLogon"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\nero\data\xtras\mssysmgr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [atchk] "c:\program files\intel\amt\atchk.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CTSysVol] c:\program files\creative\sb live! 24-bit\surround mixer\CTSysVol.exe /r
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\daniel\startm~1\programs\startup\micros~1.lnk - c:\windows\installer\{91120000-002e-0000-0000-0000000ff1ce}\outicon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: aol.com\free
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.3.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233701022375
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233792066875
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-2-25 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-2-4 203280]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\intel\amt\UNS.exe [2009-2-3 2521624]
R3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2009-5-27 29262680]

=============== Created Last 30 ================

2009-11-06 21:00:57 0 d-----w- c:\program files\iPod
2009-11-06 21:00:54 0 d-----w- c:\program files\iTunes
2009-10-17 19:02:20 0 d-----w- c:\windows\SQL9_KB970892_ENU

==================== Find3M ====================

2009-09-16 17:22:48 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22:48 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22:48 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22:48 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22:14 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36:27 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36:24 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36:24 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00:21 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 06:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 13:21:25 1850624 ----a-w- c:\windows\system32\win32k.sys
2006-06-23 06:48:54 32768 ----a-r- c:\windows\inf\UpdateUSB.exe

============= FINISH: 23:18:11.56 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:04 PM

Posted 20 November 2009 - 05:49 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 20 November 2009 - 01:12 PM

Thanks myrti. Here's some more information since my original post.

1. Using IE, browser redirects after search page link is selected (original problem)
2. Internet speed has decreased dramatically, to the point of being measured in Bytes/s.
3. Ran ESETv3 with "no threats found".
4. Attempted to update Java but it does not show up in Control Panel > Add/Remove Programs
This is curious to me as researching the net leads me to think this may be a rootkit problem with Java.
I don't really know if that is helpful or potentially misleading, but that's what I've managed to dig up so far.

Thanks in advance for your assistance and here are those logs:

OTL---------------------------------------------------------------------
OTL logfile created on: 11/20/2009 9:58:00 AM - Run 1
OTL by OldTimer - Version 3.1.6.1 Folder = C:\Documents and Settings\daniel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 43.16% Memory free
3.83 Gb Paging File | 2.74 Gb Available in Paging File | 71.39% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 195.31 Gb Total Space | 170.45 Gb Free Space | 87.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 270.45 Gb Total Space | 247.65 Gb Free Space | 91.57% Space Free | Partition Type: NTFS

Computer Name: STUPID
Current User Name: daniel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/20 09:56:17 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\daniel\Desktop\OTL.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:26 | 00,141,600 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes\iTunesHelper.exe
PRC - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe
PRC - [2009/09/16 10:23:32 | 00,262,160 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe
PRC - [2009/09/16 10:23:32 | 00,262,160 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\VirusScan\mcvsshld.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/08/26 21:18:44 | 00,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/08/26 21:18:44 | 00,634,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2009/08/17 21:54:54 | 12,957,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2009/08/17 21:54:54 | 12,957,536 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/05/27 02:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
PRC - [2009/02/25 17:06:42 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2009/02/23 10:03:46 | 00,031,552 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe
PRC - [2009/02/23 10:03:46 | 00,031,552 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMeeting\320\g2mlauncher.exe
PRC - [2009/02/23 10:03:46 | 00,031,552 | ---- | M] (Citrix Online, a division of Citrix Systems, Inc.) -- C:\Program Files\Citrix\GoToMeeting\320\g2mcomm.exe
PRC - [2009/01/23 10:46:14 | 00,203,280 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008/11/24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2008/11/24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
PRC - [2008/10/25 11:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/10/25 11:44:34 | 00,031,072 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
PRC - [2007/07/05 18:55:06 | 02,521,624 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\UNS.exe
PRC - [2007/07/05 18:55:04 | 00,182,808 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe
PRC - [2007/07/05 18:55:02 | 00,408,088 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchk.exe
PRC - [2007/07/05 18:55:02 | 00,408,088 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchk.exe
PRC - [2007/07/05 18:54:58 | 00,109,080 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\LMS.exe
PRC - [2007/07/05 00:08:00 | 16,380,416 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2007/07/05 00:08:00 | 16,380,416 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\RTHDCPL.exe
PRC - [2007/06/28 20:43:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe
PRC - [2006/02/28 04:00:00 | 00,008,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\cidaemon.exe
PRC - [2005/02/25 16:28:03 | 00,212,992 | ---- | M] (Ahead Software) -- C:\Program Files\Nero\data\Xtras\mssysmgr.exe
PRC - [2003/09/17 10:43:36 | 00,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
PRC - [2003/09/17 10:43:36 | 00,057,344 | ---- | M] (Creative Technology Ltd) -- C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
PRC - [2003/04/06 01:06:58 | 00,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2003/04/06 01:06:58 | 00,028,672 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
PRC - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe
PRC - [1999/12/12 17:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE


========== Modules (SafeList) ==========

MOD - [2009/11/20 09:56:17 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\daniel\Desktop\OTL.exe
MOD - [2009/01/23 10:46:18 | 00,013,840 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2008/04/13 16:12:51 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
MOD - [2008/04/13 16:12:00 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mslbui.dll
MOD - [2008/04/13 16:11:53 | 00,185,344 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/10/28 20:21:14 | 00,545,568 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/27 08:50:12 | 00,316,312 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\Temp\0263051258567741mcinst.exe -- (0263051258567741mcinstcleanup)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2009/05/27 02:27:04 | 29,262,680 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$MSSMLBIZ)
SRV - [2009/02/25 17:06:42 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2009/01/23 10:46:14 | 00,203,280 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2008/12/12 10:17:38 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2008/11/24 22:31:12 | 00,087,904 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2008/11/24 22:31:08 | 00,239,968 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser)
SRV - [2008/11/24 22:31:08 | 00,045,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper)
SRV - [2008/11/04 01:06:28 | 00,441,712 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2008/10/25 11:44:08 | 00,065,888 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe -- (Microsoft Office Groove Audit Service)
SRV - [2008/07/29 20:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 18:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 18:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/04/13 16:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2008/01/11 17:50:16 | 00,030,312 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe -- (BcmSqlStartupSvc)
SRV - [2007/07/05 18:55:06 | 02,521,624 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\UNS.exe -- (UNS)
SRV - [2007/07/05 18:55:04 | 00,182,808 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\AMT\atchksrv.exe -- (atchksrv)
SRV - [2007/07/05 18:54:58 | 00,109,080 | R--- | M] (Intel) -- C:\Program Files\Intel\AMT\LMS.exe -- (LMS)
SRV - [2007/06/28 20:43:00 | 00,155,716 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\nvsvc32.exe -- (NVSvc)
SRV - [2007/02/20 17:35:02 | 00,073,728 | ---- | M] (HP) -- C:\Documents and Settings\michelliel\Local Settings\Temp\500064-PMLPatch\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2000/06/26 07:44:20 | 00,053,520 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MsPMSPSv.exe -- (WMDM PMSP Service)
SRV - [1999/12/12 17:01:00 | 00,044,032 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\CTSVCCDA.EXE -- (Creative Service for CDROM Access)


========== Driver Services (SafeList) ==========

DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/05/18 13:17:00 | 00,026,600 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2009/04/09 13:23:02 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\system32\drivers\Mpfp.sys -- (MPFP)
DRV - [2008/04/13 10:40:30 | 00,096,512 | ---- | M] () -- C:\WINDOWS\system32\DRIVERS\atapi.sys -- (atapi)
DRV - [2008/04/13 08:39:15 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv)
DRV - [2008/04/13 08:36:05 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2007/07/09 17:56:00 | 04,449,280 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2007/06/28 20:43:00 | 06,807,328 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/06/18 19:47:58 | 00,255,896 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\e1e5132.sys -- (e1express)
DRV - [2007/05/11 03:00:14 | 00,045,056 | R--- | M] (Intel Corporation) -- C:\WINDOWS\system32\drivers\HECI.sys -- (HECI)
DRV - [2007/03/08 15:18:00 | 00,008,320 | ---- | M] (GARMIN Corp.) -- C:\WINDOWS\system32\drivers\grmnusb.sys -- (grmnusb)
DRV - [2006/02/28 04:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink)
DRV - [2004/10/07 17:16:04 | 00,035,840 | ---- | M] (Oak Technology Inc.) -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/08/13 02:56:20 | 00,005,810 | R--- | M] () -- C:\WINDOWS\system32\drivers\ASACPI.sys -- (MTsensor)
DRV - [2004/06/04 00:27:46 | 00,840,960 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\P17.sys -- (P17)
DRV - [2003/09/21 16:48:06 | 00,130,192 | ---- | M] (Creative Technology Ltd) -- C:\WINDOWS\system32\drivers\ctsfm2k.sys -- (ctsfm2k)
DRV - [2003/09/21 16:47:38 | 00,178,672 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\ctoss2k.sys -- (ossrv)
DRV - [2003/03/08 20:31:02 | 00,021,456 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZius12.sys -- (HPZius12)
DRV - [2003/03/08 20:31:02 | 00,016,080 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\HPZipr12.sys -- (HPZipr12)
DRV - [2003/03/08 20:31:00 | 00,051,024 | R--- | M] (HP) -- C:\WINDOWS\system32\drivers\hpzid412.sys -- (HPZid412)
DRV - [2003/03/05 12:19:28 | 00,015,840 | ---- | M] (Creative Technology Ltd.) -- C:\WINDOWS\system32\drivers\PfModNT.sys -- (PfModNT)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-790525478-2139871995-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-790525478-2139871995-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-790525478-2139871995-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://groups.yahoo.com/group/solid_rock_climbers/
IE - HKU\S-1-5-21-790525478-2139871995-725345543-1003\S-1-5-21-790525478-2139871995-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-790525478-2139871995-725345543-1003\S-1-5-21-790525478-2139871995-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-21-790525478-2139871995-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKU\S-1-5-21-790525478-2139871995-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-790525478-2139871995-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-790525478-2139871995-725345543-1004\S-1-5-21-790525478-2139871995-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/08/30 12:32:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/09/03 21:14:10 | 00,000,000 | ---D | M]


O1 HOSTS File: (734 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O4 - HKLM..\Run: [Adobe ARM] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Alcmtr] C:\WINDOWS\Alcmtr.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [atchk] C:\Program Files\Intel\AMT\atchk.exe (Intel Corporation)
O4 - HKLM..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe (Creative Technology Ltd)
O4 - HKLM..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (Microsoft Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [McENUI] C:\Program Files\McAfee\MHN\McENUI.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe (Ahead Software Gmbh)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [RTHDCPL] C:\WINDOWS\RTHDCPL.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\Updreg.EXE (Creative Technology Ltd.)
O4 - HKU\S-1-5-21-790525478-2139871995-725345543-1003..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe (Citrix Online, a division of Citrix Systems, Inc.)
O4 - HKU\S-1-5-21-790525478-2139871995-725345543-1003..\Run: [PhotoShow Deluxe Media Manager] C:\Program Files\Nero\data\Xtras\mssysmgr.exe (Ahead Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe (Hewlett-Packard)
O4 - Startup: C:\Documents and Settings\daniel\Start Menu\Programs\Startup\Microsoft Office Outlook 2007.lnk = C:\WINDOWS\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe ()
O4 - Startup: C:\Documents and Settings\michelliel\Start Menu\Programs\Startup\Microsoft Office Outlook 2007.lnk = C:\WINDOWS\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-790525478-2139871995-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-790525478-2139871995-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-790525478-2139871995-725345543-1003\..Trusted Domains: aol.com ([free] http in Trusted sites)
O15 - HKU\S-1-5-21-790525478-2139871995-725345543-1003\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.3.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1233701022375 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1233792066875 (MUWebControl Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 192.168.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/02/03 11:58:05 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{0e761a6b-f400-11dd-a50c-001d60dbff30}\Shell - "" = AutoRun
O33 - MountPoints2\{0e761a6b-f400-11dd-a50c-001d60dbff30}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{0e761a6b-f400-11dd-a50c-001d60dbff30}\Shell\AutoRun\command - "" = D:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/20 09:56:10 | 00,528,896 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\daniel\Desktop\OTL.exe
[2009/11/19 11:59:38 | 00,000,000 | ---D | C] -- C:\Documents and Settings\daniel\Application Data\Sun
[2009/11/18 19:52:07 | 00,000,000 | ---D | C] -- C:\Program Files\ESET
[2009/11/13 05:25:07 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2009/11/06 13:00:57 | 00,000,000 | ---D | C] -- C:\Program Files\iPod
[2009/11/06 13:00:54 | 00,000,000 | ---D | C] -- C:\Program Files\iTunes
[2009/02/03 14:30:36 | 00,065,536 | ---- | C] ( ) -- C:\WINDOWS\System32\A3d.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2009/11/20 09:56:17 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\daniel\Desktop\OTL.exe
[2009/11/20 09:30:53 | 00,014,597 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/11/18 19:09:25 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/18 11:28:24 | 00,002,533 | ---- | M] () -- C:\Documents and Settings\daniel\Start Menu\Programs\Startup\Microsoft Office Outlook 2007.lnk
[2009/11/18 10:30:47 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/18 10:30:46 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/18 10:30:44 | 21,295,71840 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/18 10:30:04 | 03,932,160 | -H-- | M] () -- C:\Documents and Settings\daniel\NTUSER.DAT
[2009/11/16 10:45:35 | 00,071,776 | ---- | M] () -- C:\Documents and Settings\daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/11/13 12:52:01 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2009/11/13 08:39:24 | 00,275,760 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/11/13 05:31:26 | 00,000,422 | ---- | M] () -- C:\WINDOWS\System32\mapisvc.inf
[2009/11/13 05:25:39 | 00,000,667 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/09 17:04:44 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/08 23:21:37 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/11/06 13:01:38 | 00,001,804 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/11/05 09:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MRT.exe
[2009/11/03 23:42:00 | 00,607,866 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/11/03 23:42:00 | 00,503,342 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/11/03 23:42:00 | 00,092,936 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/11/03 08:09:43 | 00,001,729 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/11/06 13:01:38 | 00,001,804 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009/11/03 08:09:43 | 00,001,729 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Adobe Reader 9.lnk
[2009/09/03 16:05:55 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/04/10 14:28:02 | 00,004,608 | ---- | C] () -- C:\Documents and Settings\daniel\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/03/02 08:40:33 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/02/05 19:48:44 | 00,071,776 | ---- | C] () -- C:\Documents and Settings\daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2009/02/04 15:54:25 | 00,000,214 | ---- | C] () -- C:\WINDOWS\HP_48BitScanUpdatePatch.ini
[2009/02/04 15:21:39 | 00,000,573 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2009/02/03 14:30:49 | 00,000,231 | ---- | C] () -- C:\WINDOWS\AC3API.INI
[2009/02/03 14:30:38 | 00,067,428 | ---- | C] () -- C:\WINDOWS\System32\LudaP17.ini
[2009/02/03 14:30:38 | 00,000,029 | ---- | C] () -- C:\WINDOWS\System32\ctzapxx.ini
[2009/02/03 14:30:37 | 00,060,928 | ---- | C] () -- C:\WINDOWS\System32\P17.dll
[2009/02/03 14:30:37 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\P17CPI.dll
[2009/02/03 14:30:28 | 00,000,072 | ---- | C] () -- C:\WINDOWS\SBWIN.INI
[2009/02/03 12:35:09 | 05,367,374 | -H-- | C] () -- C:\Documents and Settings\daniel\Local Settings\Application Data\IconCache.db
[2009/02/03 12:28:17 | 00,027,490 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2009/02/03 12:28:10 | 00,027,092 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/02/03 12:28:10 | 00,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2009/02/03 12:28:00 | 00,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2009/02/03 12:26:19 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\daniel\Application Data\desktop.ini
[2009/02/03 03:45:38 | 00,000,062 | -HS- | C] () -- C:\Documents and Settings\All Users\Application Data\desktop.ini
[2007/09/27 10:51:02 | 00,020,698 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2007/09/27 10:48:48 | 00,030,628 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2007/09/27 10:48:28 | 00,031,698 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2007/06/28 20:43:00 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/06/28 20:43:00 | 01,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/06/28 20:43:00 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/06/28 20:43:00 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/06/28 20:43:00 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/06/29 13:58:52 | 00,030,808 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalUserInterface.CompositeFont
[2006/06/29 13:53:56 | 00,026,489 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSansSerif.CompositeFont
[2006/04/18 14:39:28 | 00,029,779 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalSerif.CompositeFont
[2006/04/18 14:39:28 | 00,026,040 | ---- | C] () -- C:\WINDOWS\Fonts\GlobalMonospace.CompositeFont
[2006/02/28 04:00:00 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2006/02/28 04:00:00 | 00,000,667 | ---- | C] () -- C:\WINDOWS\win.ini
[2006/02/28 04:00:00 | 00,000,231 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/03/08 20:31:04 | 00,561,152 | ---- | C] () -- C:\WINDOWS\System32\hpotscl.dll
< End of report >


Extras-----------------------------------------------------------
OTL Extras logfile created on: 11/20/2009 9:58:00 AM - Run 1
OTL by OldTimer - Version 3.1.6.1 Folder = C:\Documents and Settings\daniel\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.98 Gb Total Physical Memory | 0.86 Gb Available Physical Memory | 43.16% Memory free
3.83 Gb Paging File | 2.74 Gb Available in Paging File | 71.39% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 195.31 Gb Total Space | 170.45 Gb Free Space | 87.27% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive X: | 270.45 Gb Total Space | 247.65 Gb Free Space | 91.57% Space Free | Partition Type: NTFS

Computer Name: STUPID
Current User Name: daniel
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE" = C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE" = C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove -- (Microsoft Corporation)
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE" = C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote -- (Microsoft Corporation)
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)
"{301CC8D1-FE75-41ED-9B11-41F006110950}" = Garmin City Navigator North America NT 2010.10 Update
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353D20CC-719B-4A60-AD33-D03F88C10330}" = Microsoft Office Accounting PayPal Addin
"{46614A49-222A-48EF-87A9-BFD603E608E1}" = Microsoft Office Accounting Fixed Asset Manager
"{50120000-1105-0000-0000-0000000FF1CE}" = Microsoft Office 2007 Primary Interop Assemblies
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{56B4002F-671C-49F4-984C-C760FE3806B5}" = Microsoft SQL Server VSS Writer
"{56F3E1FF-54FE-4384-A153-6CCABA097814}" = Creative MediaSource
"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
"{5FA793A6-0071-42C1-9355-8F69A428C44F}" = Microsoft Office Accounting ADP Payroll Addin
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6ECB39BD-73C2-44DD-B1A0-898207C58D8B}" = HP Photo and Imaging 2.0 - All-in-One Drivers
"{734BB64A-5A3D-4624-867D-6358B7068496}" = Sound Blaster Live! 24-bit
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{86B879A5-927E-4536-B5FC-17CA96B60078}" = Garmin Communicator Plugin
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8C711818-076E-475C-B95B-DF11CD9D8DBE}" = Microsoft Office Accounting Equifax Addin
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ULTIMATER_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ULTIMATER_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ULTIMATER_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ULTIMATER_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ULTIMATER_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90A40409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office 2003 Web Components
"{91120000-002E-0000-0000-0000000FF1CE}" = Microsoft Office Ultimate 2007
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{91510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{9867A917-5D17-40DE-83BA-BEA5293194B1}" = HP Photo and Imaging 2.0 - All-in-One
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}" = QuickTime
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{A939D341-5A04-4E0A-BB55-3E65B386432D}" = Microsoft Office Small Business Connectivity Components
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A92000000001}" = Adobe Reader 9.2
"{B0717D5A-1976-482B-9ADF-F19631A541A4}" = Microsoft Office Accounting 2007
"{B1102A25-3AA3-446B-AA0F-A699B07A02FD}" = Garmin USB Drivers
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B32C4059-6E7A-41EF-AD20-56DF1872B923}" = Business Contact Manager for Outlook 2007 SP2
"{B376402D-58EA-45EA-BD50-DD924EB67A70}" = HP Memories Disc
"{B607C354-CD79-4D22-86D1-92DC94153F42}" = Apple Application Support
"{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}" = Microsoft SQL Server Native Client
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C900EF06-2E76-49C7-8DB0-41F629B21DC5}" = hp psc 1200 series
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D1A74FBB-CA8D-4CCA-9B89-BAAA436DB178}" = iTunes
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"45A7283175C62FAC673F913C1F532C5361F97841" = Windows Driver Package - Garmin (grmnusb) GARMIN Devices (03/08/2007 2.2.1.0)
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Business Contact Manager" = Business Contact Manager for Outlook 2007 SP2
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ESET Online Scanner" = ESET Online Scanner v3
"HECI" = Intel® Management Engine Interface
"HP PSC 1200 Series" = HP Photo and Imaging 2.0 - hp psc 1200 series
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"iLuminaPremium" = iLumina Gold Premium
"MESOL" = Intel® Active Management Technology
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Office Accounting 2007" = Microsoft Office Accounting 2007
"Microsoft Office Accounting Equifax Addin" = Microsoft Office Accounting Equifax Addin
"Microsoft Office Accounting PayPal Addin" = Microsoft Office Accounting PayPal Addin
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"MSC" = McAfee SecurityCenter
"Nero PhotoShow Express" = Nero PhotoShow Express
"NeroMultiInstaller!UninstallKey" = Nero Suite
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NVIDIA Drivers" = NVIDIA Drivers
"PROSet" = Intel® PRO Network Connections Drivers
"SysInfo" = Creative System Information
"TurboTax 2008" = TurboTax 2008
"ULTIMATER" = Microsoft Office Ultimate 2007
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-790525478-2139871995-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"GoToMeeting" = GoToMeeting 4.0.0.320

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 11/13/2009 2:05:55 AM | Computer Name = STUPID | Source = Application Hang | ID = 1002
Description = Hanging application iexplore.exe, version 7.0.6000.16915, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 11/13/2009 2:10:54 AM | Computer Name = STUPID | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 11/13/2009 9:30:20 AM | Computer Name = STUPID | Source = Windows Search Service | ID = 3006
Description = Performance monitoring cannot be initialized for the gatherer service,
because the counters are not loaded or the shared memory object cannot be opened.
This only affects availability of the perfmon counters. Restart the computer.

Error - 11/13/2009 9:30:20 AM | Computer Name = STUPID | Source = Windows Search Service | ID = 3007
Description = Performance monitoring cannot be initialized for the gatherer object,
because the counters are not loaded or the shared memory object cannot be opened.
This only affects availability of the perfmon counters. Restart the computer. Context:
Application, SystemIndex Catalog

Error - 11/13/2009 12:39:45 PM | Computer Name = STUPID | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 11/13/2009 2:47:07 PM | Computer Name = STUPID | Source = Windows Search Service | ID = 3013
Description = The entry <C:\DOCUMENTS AND SETTINGS\MICHELLIEL\MY DOCUMENTS\MY MUSIC\ITUNES\ITUNES
LIBRARY EXTRAS.ITDB-JOURNAL> in the hash map cannot be updated. Context: Application,
SystemIndex Catalog Details: A device attached to the system is not functioning.
(0x8007001f)

Error - 11/14/2009 12:14:58 PM | Computer Name = STUPID | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 11/16/2009 12:52:42 AM | Computer Name = STUPID | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 11/16/2009 2:05:17 PM | Computer Name = STUPID | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

Error - 11/18/2009 2:31:06 PM | Computer Name = STUPID | Source = Intel® AMT | ID = 2002
Description = [UNS] Failed to subscribe to local Intel® AMT.

[ System Events ]
Error - 11/18/2009 7:42:07 PM | Computer Name = STUPID | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 001D60DBFF30 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 11/18/2009 11:06:26 PM | Computer Name = STUPID | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 75.19.42.24 on
the Network Card with network address 001D60DBFF30.

Error - 11/18/2009 11:06:46 PM | Computer Name = STUPID | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 001D60DBFF30 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 11/18/2009 11:09:24 PM | Computer Name = STUPID | Source = DCOM | ID = 10001
Description = Unable to start a DCOM Server: {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493}
as /. The error: "%233" Happened while starting this command: c:\PROGRA~1\mcafee.com\agent\mcagent.exe
-Embedding

Error - 11/19/2009 1:48:04 AM | Computer Name = STUPID | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 75.39.219.215 on
the Network Card with network address 001D60DBFF30.

Error - 11/19/2009 1:48:24 AM | Computer Name = STUPID | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 001D60DBFF30 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 11/19/2009 1:55:28 PM | Computer Name = STUPID | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 75.19.33.232 on
the Network Card with network address 001D60DBFF30.

Error - 11/19/2009 1:55:52 PM | Computer Name = STUPID | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 001D60DBFF30 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).

Error - 11/20/2009 1:30:19 PM | Computer Name = STUPID | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 75.34.231.83 on
the Network Card with network address 001D60DBFF30.

Error - 11/20/2009 1:30:43 PM | Computer Name = STUPID | Source = Dhcp | ID = 1002
Description = The IP address lease 192.168.1.64 for the Network Card with network
address 001D60DBFF30 has been denied by the DHCP server 192.168.0.1 (The DHCP Server
sent a DHCPNACK message).


< End of report >

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:04 PM

Posted 22 November 2009 - 12:52 PM

Hi,

Not every PC has java installed, so it must not mean anything suspicious, that you can't find it.

Please run a scan with gmer to check for rootkits:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 22 November 2009 - 04:40 PM

Hi myrti,

Ah, but I did have java installed; then after my original post, surfing around led me to suspect a problem with java, so I installed (or attempted to install and no error popped up) the latest version but still it's not in my SW listing, so that's why I thought it was suspicious.

Anyway, I did solve one problem that turned out to be a red herring. My wonderful wife (lit. full of wonder!) had rearranged phones and did not plug in the DSL filter; once I found that, my internet speed came back, so left with just the original browser redirect problem.

Here is the gmer log:

GMER 1.0.15.15227 - http://www.gmer.net
Rootkit scan 2009-11-22 13:29:36
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\daniel\LOCALS~1\Temp\pwtdypoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB5FAC78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB5FAC821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB5FAC738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB5FAC74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB5FAC835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB5FAC861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB5FAC8CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB5FAC8B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB5FAC7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB5FAC8FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB5FAC80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB5FAC710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB5FAC724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB5FAC79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB5FAC937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB5FAC8A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB5FAC88D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB5FAC84B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB5FAC923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB5FAC90F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB5FAC776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB5FAC762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB5FAC877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB5FAC7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB5FAC8E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB5FAC7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB5FAC7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B5FAC7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B5FAC78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP B5FAC7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP B5FAC7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP B5FAC7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP B5FAC714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP B5FAC728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP B5FAC766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP B5FAC750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP B5FAC73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP B5FAC77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP B5FAC7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP B5FAC891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP B5FAC87B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP B5FAC8E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP B5FAC8A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP B5FAC84F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP B5FAC825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP B5FAC839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP B5FAC865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP B5FAC8D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP B5FAC8BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP B5FAC811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP B5FAC93B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP B5FAC913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP B5FAC927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP B5FAC8FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A80F88
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A8007D
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A8006C
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80FAF
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A80FCA
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A800C9
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A800AE
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A80106
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A800F5
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80F52
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A80051
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80FEF
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A80F77
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A80036
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80025
.text C:\WINDOWS\system32\svchost.exe[536] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A800DA
.text C:\WINDOWS\system32\svchost.exe[536] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00940FC0
.text C:\WINDOWS\system32\svchost.exe[536] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00940069
.text C:\WINDOWS\system32\svchost.exe[536] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00940FE5
.text C:\WINDOWS\system32\svchost.exe[536] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0094001B
.text C:\WINDOWS\system32\svchost.exe[536] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0094004E
.text C:\WINDOWS\system32\svchost.exe[536] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00940000
.text C:\WINDOWS\system32\svchost.exe[536] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0094003D
.text C:\WINDOWS\system32\svchost.exe[536] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0094002C
.text C:\WINDOWS\system32\svchost.exe[536] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00930F86
.text C:\WINDOWS\system32\svchost.exe[536] msvcrt.dll!system 77C293C7 5 Bytes JMP 00930F97
.text C:\WINDOWS\system32\svchost.exe[536] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00930FCD
.text C:\WINDOWS\system32\svchost.exe[536] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[536] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00930FB2
.text C:\WINDOWS\system32\svchost.exe[536] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00930FDE
.text C:\WINDOWS\system32\svchost.exe[536] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00910FEF
.text C:\WINDOWS\system32\svchost.exe[536] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 0091000A
.text C:\WINDOWS\system32\svchost.exe[536] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00910FD4
.text C:\WINDOWS\system32\svchost.exe[536] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00910025
.text C:\WINDOWS\system32\svchost.exe[536] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 016F0FEF
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 016F0064
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 016F0F6F
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 016F0F8A
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 016F0FA5
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 016F0FC0
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016F0F37
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 016F007F
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016F00A4
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016F0F0B
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 016F00C9
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 016F0047
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 016F000A
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 016F0F5E
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 016F002C
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 016F001B
.text C:\WINDOWS\system32\services.exe[812] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016F0F26
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 016E0FAF
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 016E0F57
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 016E0FCA
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 016E0FE5
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 016E0F68
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 016E0000
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 016E0F79
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8E, 89]
.text C:\WINDOWS\system32\services.exe[812] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 016E0F9E
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0139005A
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!system 77C293C7 5 Bytes JMP 01390FCF
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01390038
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01390000
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01390049
.text C:\WINDOWS\system32\services.exe[812] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0139001D
.text C:\WINDOWS\system32\services.exe[812] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01370FEF
.text C:\WINDOWS\system32\services.exe[812] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01370FDE
.text C:\WINDOWS\system32\services.exe[812] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01370FCD
.text C:\WINDOWS\system32\services.exe[812] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01370FBC
.text C:\WINDOWS\system32\services.exe[812] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0138000A
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01110FEF
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 01110F8D
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01110F9E
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01110FB9
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 01110076
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01110040
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 011100C4
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01110F72
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 011100FA
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 01110F61
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 0111010B
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0111005B
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01110FD4
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0111009D
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01110025
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01110014
.text C:\WINDOWS\system32\lsass.exe[824] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 011100D5
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0FAF
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF001B
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0FCA
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF006C
.text C:\WINDOWS\system32\lsass.exe[824] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0047
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E60042
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E60027
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E60FD2
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E60FE3
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E60FB7
.text C:\WINDOWS\system32\lsass.exe[824] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E6000C
.text C:\WINDOWS\system32\lsass.exe[824] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E50FEF
.text C:\WINDOWS\system32\lsass.exe[824] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00D80FEF
.text C:\WINDOWS\system32\lsass.exe[824] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00D80000
.text C:\WINDOWS\system32\lsass.exe[824] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00D80FC0
.text C:\WINDOWS\system32\lsass.exe[824] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00D8001B
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 027F0000
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 027F0075
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 027F0F80
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 027F0058
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 027F0F9B
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 027F0033
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 027F0F48
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 027F0090
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 027F0F23
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 027F00C6
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 027F0F12
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 027F0FAC
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 027F0011
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 027F0F65
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 027F0022
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 027F0FDB
.text C:\WINDOWS\system32\svchost.exe[1008] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 027F00AB
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 027E002C
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 027E006C
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 027E001B
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 027E0FE5
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 027E0FAF
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 027E0000
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 027E0FC0
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [9E, 8A]
.text C:\WINDOWS\system32\svchost.exe[1008] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 027E0047
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 027D005D
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!system 77C293C7 5 Bytes JMP 027D0038
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 027D0FD2
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_open 77C2F566 5 Bytes JMP 027D0FE3
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 027D0027
.text C:\WINDOWS\system32\svchost.exe[1008] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 027D0000
.text C:\WINDOWS\system32\svchost.exe[1008] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 027B0FEF
.text C:\WINDOWS\system32\svchost.exe[1008] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 027B000A
.text C:\WINDOWS\system32\svchost.exe[1008] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 027B001B
.text C:\WINDOWS\system32\svchost.exe[1008] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 027B002C
.text C:\WINDOWS\system32\svchost.exe[1008] WS2_32.dll!socket 71AB4211 5 Bytes JMP 027C0FEF
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 013B0FEF
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 013B0F81
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 013B0076
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 013B005B
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 013B004A
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 013B0039
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 013B0F5A
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 013B00AC
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 013B0F27
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 013B0F38
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 013B0F0C
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 013B0FA8
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 013B0FDE
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 013B009B
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 013B0FCD
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 013B001E
.text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 013B0F49
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013A004A
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013A0FA1
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013A0025
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013A000A
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013A0FB2
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013A0FEF
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 013A0FCD
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5A, 89]
.text C:\WINDOWS\system32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013A0FDE
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 01390F9E
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!system 77C293C7 5 Bytes JMP 01390FB9
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 01390029
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_open 77C2F566 5 Bytes JMP 01390FEF
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 01390FD4
.text C:\WINDOWS\system32\svchost.exe[1088] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 01390018
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 011A0000
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 011A001B
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 011A0036
.text C:\WINDOWS\system32\svchost.exe[1088] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 011A0047
.text C:\WINDOWS\system32\svchost.exe[1088] WS2_32.dll!socket 71AB4211 5 Bytes JMP 011B0FEF
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 03940FEF
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 03940F8D
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 03940082
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 03940071
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 03940054
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 03940FCD
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 03940F6B
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 03940F7C
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 039400CE
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 03940F35
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 03940F1A
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 03940FBC
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0394000A
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0394009D
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 03940FDE
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0394002F
.text C:\WINDOWS\System32\svchost.exe[1192] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 03940F46
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 03930FCA
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 03930051
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 03930FE5
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0393001B
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 03930036
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 03930000
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 03930F94
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 8B] {MOV BL, 0x8b}
.text C:\WINDOWS\System32\svchost.exe[1192] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 03930FAF
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 03920058
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!system 77C293C7 5 Bytes JMP 03920FC3
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 03920FEF
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_open 77C2F566 5 Bytes JMP 03920000
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 03920FD4
.text C:\WINDOWS\System32\svchost.exe[1192] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0392001D
.text C:\WINDOWS\System32\svchost.exe[1192] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 03880000
.text C:\WINDOWS\System32\svchost.exe[1192] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 03880FE5
.text C:\WINDOWS\System32\svchost.exe[1192] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0388001B
.text C:\WINDOWS\System32\svchost.exe[1192] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 03880FD4
.text C:\WINDOWS\System32\svchost.exe[1192] WS2_32.dll!socket 71AB4211 5 Bytes JMP 03890000
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B30000
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B30087
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B30F92
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B30FAD
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B30076
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B30036
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B30F53
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B30F64
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B300C7
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B30F38
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B300E2
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B30051
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B30025
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B30F81
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B30FCA
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B30FE5
.text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B300B6
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AE0036
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AE0F8A
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AE001B
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AE0FA5
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AE0000
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00AE0FB6
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [CE, 88]
.text C:\WINDOWS\system32\svchost.exe[1276] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AE0047
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD0047
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0FBC
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD0FDE
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD000C
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD0FCD
.text C:\WINDOWS\system32\svchost.exe[1276] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD0FEF
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00AB0FEF
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00AB000A
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00AB0FD4
.text C:\WINDOWS\system32\svchost.exe[1276] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00AB0025
.text C:\WINDOWS\system32\svchost.exe[1276] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00AC0000
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D000A7
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00082
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00FA8
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D00065
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00F7C
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D000CE
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D00F61
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D000FA
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D00F50
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D00FC3
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D0000A
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D00F97
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00040
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D0002F
.text C:\WINDOWS\system32\svchost.exe[1396] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D000E9
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CF002C
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CF0F8A
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CF001B
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CF0000
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CF0047
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CF0FEF
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00CF0FA5
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [EF, 88]
.text C:\WINDOWS\system32\svchost.exe[1396] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CF0FC0
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CE001D
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CE000C
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CE0FB7
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CE0FEF
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CE0F9C
.text C:\WINDOWS\system32\svchost.exe[1396] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CE0FDE
.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 009A0000
.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 009A0011
.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 009A0FE5
.text C:\WINDOWS\system32\svchost.exe[1396] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 009A0FCA
.text C:\WINDOWS\system32\svchost.exe[1396] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00CD000A
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 014C0000
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 014C0F76
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 014C006B
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 014C0F91
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 014C004E
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 014C003D
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 014C0F43
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 014C0F54
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 014C0F21
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 014C00B0
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 014C00D5
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 014C0FAC
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 014C0011
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 014C0F65
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 014C002C
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 014C0FE5
.text C:\WINDOWS\Explorer.EXE[1892] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 014C0F32
.text C:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 013E0036
.text C:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 013E0076
.text C:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 013E0025
.text C:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 013E000A
.text C:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 013E005B
.text C:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 013E0FEF
.text C:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 013E0FC3
.text C:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [5E, 89]
.text C:\WINDOWS\Explorer.EXE[1892] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 013E0FD4
.text C:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30FA4
.text C:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E30FB5
.text C:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30011
.text C:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30000
.text C:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E30FC6
.text C:\WINDOWS\Explorer.EXE[1892] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30FD7
.text C:\WINDOWS\Explorer.EXE[1892] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 01550000
.text C:\WINDOWS\Explorer.EXE[1892] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 01550FE5
.text C:\WINDOWS\Explorer.EXE[1892] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 01550FD4
.text C:\WINDOWS\Explorer.EXE[1892] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 01550FB9
.text C:\WINDOWS\Explorer.EXE[1892] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01F50FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2704] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[2704] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00200FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0020007F
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00200F94
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0020006E
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00200051
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00200036
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 002000BC
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002000AB
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00200F4F
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002000E8
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00200F34
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00200FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00200FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0020009A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00200025
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0020000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002000D7
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002F004E
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] msvcrt.dll!system 77C293C7 5 Bytes JMP 002F0FB9
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002F0FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002F0FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002F0029
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002F000C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00300FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00300F79
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0030000A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00300FD4
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00300F8A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00300FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0030002C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0030001B
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00690000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00690011
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 0069002C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00690047
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[2984] WS2_32.dll!socket 71AB4211 5 Bytes JMP 33F90000
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00AF0000
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00AF0F70
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00AF0F81
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00AF0F92
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00AF0FAF
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00AF0047
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00AF0F27
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00AF0F38
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AF0EE7
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00AF0F02
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00AF0091
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00AF0FC0
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00AF0011
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00AF0F55
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00AF002C
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00AF0FDB
.text C:\WINDOWS\system32\svchost.exe[3340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00AF0080
.text C:\WINDOWS\system32\svchost.exe[3340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00AE0025
.text C:\WINDOWS\system32\svchost.exe[3340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00AE006F
.text C:\WINDOWS\system32\svchost.exe[3340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00AE000A
.text C:\WINDOWS\system32\svchost.exe[3340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00AE0FD4
.text C:\WINDOWS\system32\svchost.exe[3340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00AE0FA8
.text C:\WINDOWS\system32\svchost.exe[3340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00AE0FEF
.text C:\WINDOWS\system32\svchost.exe[3340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00AE004A
.text C:\WINDOWS\system32\svchost.exe[3340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00AE0FB9
.text C:\WINDOWS\system32\svchost.exe[3340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00AD0F7F
.text C:\WINDOWS\system32\svchost.exe[3340] msvcrt.dll!system 77C293C7 5 Bytes JMP 00AD0F9A
.text C:\WINDOWS\system32\svchost.exe[3340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00AD0000
.text C:\WINDOWS\system32\svchost.exe[3340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00AD0FE3
.text C:\WINDOWS\system32\svchost.exe[3340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00AD0FAB
.text C:\WINDOWS\system32\svchost.exe[3340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00AD0FC6
.text C:\WINDOWS\system32\svchost.exe[3340] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 00730FEF
.text C:\WINDOWS\system32\svchost.exe[3340] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00730FD4
.text C:\WINDOWS\system32\svchost.exe[3340] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00730FC3
.text C:\WINDOWS\system32\svchost.exe[3340] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00730014
.text C:\WINDOWS\system32\SearchIndexer.exe[3696] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

Device \Driver\00000718 -> \Driver\atapi \Device\Harddisk0\DR0 89D1150C

---- EOF - GMER 1.0.15 ----

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:04 PM

Posted 22 November 2009 - 09:10 PM

Hi,

it does indeed look like you have been infected with one of the more nasty rootkits flying around. Please try to run Combofix:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 22 November 2009 - 11:12 PM

I am logged on using another computer; the machine in question had a stroke after running ComboFix. Fa-la-la-la-la!

The keyboard doesn't work so I couldn't enter a response, and the USB port is not recognized so I could not transfer the log to this other computer. My protection suite (firewall, anti-virus, etc.) icon is no longer on the toolbar, and many other icons have disappeared. Anyway, I didn't want to connect without this protection so I dug up another computer to communicate on.

I thought about rebooting the machine but figured I better check with you first so that you can tell me how to proceed...

Thanks,

~Dan

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:04 PM

Posted 23 November 2009 - 02:41 PM

Hi,

that doesn't sound good.. This should not have happened. Please reboot and check if this fixes the problem.


If not we will try to fix this as quickly as possible. For this we'll need some more information: Can you somehow get the combofix.txt for me? (Maybe burn it on CD or copy it to Floppy if you have a floppyreader) Did you get a message about rootkit activity before ComboFix rebooted?

Did Combofix ask you to install Recovery Console? Did you say yes?

Can you check if the keyboard is recognized early at boot? Can you get into safe mode by hitting F8?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 23 November 2009 - 03:22 PM

Thanks myrti,

1. Rebooted; keyboard functionality and lost icons returned -- good.
2. Virus activity still apparent; see McAfee note:
"McAfee has automatically blocked and removed a Trojan.
About this Trojan
Detected: Artemis!1BC534D5AEE6 (Trojan), Artemis!1BC534D5AEE6 (Trojan)
Location: C:\Documents and Settings\daniel\Desktop\ComboFix.exe" :(
3. Recovery Console was installed by ComboFix, yes.
4. ComboFix log follows:

ComboFix 09-11-22.04 - daniel 11/22/2009 18:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1340 [GMT -8:00]
Running from: c:\documents and settings\daniel\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Data

.
((((((((((((((((((((((((( Files Created from 2009-10-23 to 2009-11-23 )))))))))))))))))))))))))))))))
.

2009-11-19 03:52 . 2009-11-19 03:52 -------- d-----w- c:\program files\ESET
2009-11-06 21:00 . 2009-11-06 21:00 -------- d-----w- c:\program files\iPod
2009-11-06 21:00 . 2009-11-06 21:01 -------- d-----w- c:\program files\iTunes
2009-11-06 20:55 . 2009-11-06 20:55 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 02:16 . 2009-02-04 16:14 -------- d-----w- c:\program files\McAfee
2009-11-16 18:45 . 2009-02-06 03:48 71776 ----a-w- c:\documents and settings\daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-13 18:46 . 2009-09-24 23:33 -------- d-----w- c:\documents and settings\michelliel\Application Data\Apple Computer
2009-11-13 18:46 . 2009-02-04 20:56 71776 ----a-w- c:\documents and settings\michelliel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-13 13:30 . 2009-02-04 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-13 13:27 . 2009-02-04 20:09 -------- d-----w- c:\program files\Microsoft Works
2009-11-10 20:59 . 2009-02-04 16:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-06 21:00 . 2009-09-04 20:02 -------- d-----w- c:\program files\Common Files\Apple
2009-11-03 16:09 . 2009-02-04 23:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-17 19:02 . 2009-02-09 18:34 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-09 21:51 . 2009-10-09 21:51 -------- d-----w- c:\documents and settings\daniel\Application Data\Intuit
2009-10-09 20:34 . 2009-10-09 20:34 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2009-10-09 20:32 . 2009-10-09 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-10-09 20:32 . 2009-10-09 20:31 -------- d-----w- c:\program files\Common Files\Intuit
2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\program files\TurboTax
2009-10-09 20:02 . 2009-10-09 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-09 20:00 . 2009-09-04 19:57 -------- d-----w- c:\program files\QuickTime
2009-09-24 23:30 . 2009-09-24 23:29 -------- d-----w- c:\documents and settings\michelliel\Application Data\Creative
2009-09-16 17:22 . 2009-02-04 16:15 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2009-02-04 16:15 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2009-02-04 16:15 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2009-02-04 16:15 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22 . 2009-02-04 16:15 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2008-04-13 18:40 . 3A7818DBA51A390A135929B54FA8BDC2 . 96512 . . [------] . . c:\windows\system32\drivers\atapi.sys
[7] 2006-02-28 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\system32\DRIVERS\atapi.sys
[7] 2006-02-28 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0007\DriverFiles\i386\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\atapi.sys
[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups\0008\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\320\g2mstart.exe" [2009-02-23 31552]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-07-06 408088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]

c:\documents and settings\michelliel\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe [2009-2-4 845584]

c:\documents and settings\daniel\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe [2009-2-4 845584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2/25/2009 5:06 PM 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/4/2009 8:17 AM 203280]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2/3/2009 2:16 PM 2521624]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - PWTDYPOC
*Deregistered* - CLASSPNP_2
*Deregistered* - pwtdypoc
.
Contents of the 'Scheduled Tasks' folder

2009-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-18 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8233791596.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 08:52]

2009-02-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-04 19:22]

2009-02-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-04 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://groups.yahoo.com/group/solid_rock_climbers/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-22 18:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89D1150C]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba90cf28
\Driver\ACPI -> ACPI.sys @ 0xba77fcb8
\Driver\atapi -> atapi.sys @ 0xba711852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® 82566DM-2 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xba61dbb0
PacketIndicateHandler -> NDIS.sys @ 0xba62aa21
SendHandler -> NDIS.sys @ 0xba60887b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(824)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5308)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-11-22 18:43
ComboFix-quarantined-files.txt 2009-11-23 02:42

Pre-Run: 182,846,214,144 bytes free
Post-Run: 183,144,022,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 29696117E0E76485B2A5E311B374C707

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:04 PM

Posted 23 November 2009 - 03:38 PM

Hi,

sadly many anti virus programs target the programs we use to clean the PCs as malware, this is the main reason we ask to disable them during the run. This may also have been the reason for your missing icons: McAfee blocked part of Combofix run.

We need to run a script with ComboFix, you still have a nasty rootkit. Please download a new Copy of ComboFix on your desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

FCopy::
c:\windows\ServicePackFiles\i386\atapi.sys | c:\windows\system32\drivers\atapi.sys


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 23 November 2009 - 04:02 PM

OK, I will work as requested, but I did previously disable McAfee in all categories. Is is possible that the virus is just very smart or shall I attempt to completely uninstall McAfee prior to running the new ComboFix?

#12 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 23 November 2009 - 04:15 PM

Ran ComboFix w/o net conx so it did not upgrade.
See next post.

Edited by notthecraw, 23 November 2009 - 07:30 PM.


#13 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 23 November 2009 - 07:31 PM

ComboFix detected rootkit activity and asked to reboot; I said OK.

ComboFix 09-11-22.04 - daniel 11/23/2009 16:13.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2031.1530 [GMT -8:00]
Running from: c:\documents and settings\daniel\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\daniel\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\atapi.sys --> c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-10-24 to 2009-11-24 )))))))))))))))))))))))))))))))
.

2009-11-19 03:52 . 2009-11-19 03:52 -------- d-----w- c:\program files\ESET
2009-11-06 21:00 . 2009-11-06 21:00 -------- d-----w- c:\program files\iPod
2009-11-06 21:00 . 2009-11-06 21:01 -------- d-----w- c:\program files\iTunes
2009-11-06 20:55 . 2009-11-06 20:55 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-22 02:16 . 2009-02-04 16:14 -------- d-----w- c:\program files\McAfee
2009-11-16 18:45 . 2009-02-06 03:48 71776 ----a-w- c:\documents and settings\daniel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-13 18:46 . 2009-09-24 23:33 -------- d-----w- c:\documents and settings\michelliel\Application Data\Apple Computer
2009-11-13 18:46 . 2009-02-04 20:56 71776 ----a-w- c:\documents and settings\michelliel\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-13 13:30 . 2009-02-04 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-11-13 13:27 . 2009-02-04 20:09 -------- d-----w- c:\program files\Microsoft Works
2009-11-10 20:59 . 2009-02-04 16:29 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-11-06 21:00 . 2009-09-04 20:02 -------- d-----w- c:\program files\Common Files\Apple
2009-11-03 16:09 . 2009-02-04 23:03 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-17 19:02 . 2009-02-09 18:34 -------- d-----w- c:\program files\Microsoft SQL Server
2009-10-09 21:51 . 2009-10-09 21:51 -------- d-----w- c:\documents and settings\daniel\Application Data\Intuit
2009-10-09 20:34 . 2009-10-09 20:34 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0
2009-10-09 20:32 . 2009-10-09 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit
2009-10-09 20:32 . 2009-10-09 20:31 -------- d-----w- c:\program files\Common Files\Intuit
2009-10-09 20:30 . 2009-10-09 20:30 -------- d-----w- c:\program files\TurboTax
2009-10-09 20:02 . 2009-10-09 20:02 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-10-09 20:00 . 2009-09-04 19:57 -------- d-----w- c:\program files\QuickTime
2009-09-16 17:22 . 2009-02-04 16:15 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 17:22 . 2009-02-04 16:15 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 17:22 . 2009-02-04 16:15 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 17:22 . 2009-02-04 16:15 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 17:22 . 2009-02-04 16:15 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2006-02-28 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 07:36 . 2006-02-28 12:00 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2006-02-28 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2006-02-28 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-23_02.40.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-02-28 12:00 . 2008-04-13 18:40 96512 c:\windows\system32\dllcache\atapi.sys
+ 2009-02-03 20:25 . 2009-11-23 20:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-03 20:25 . 2009-11-23 02:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-03 20:25 . 2009-11-23 20:11 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-03 20:25 . 2009-11-23 02:11 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoToMeeting"="c:\program files\Citrix\GoToMeeting\320\g2mstart.exe" [2009-02-23 31552]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-26 212992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-07-06 408088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-29 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"CTSysVol"="c:\program files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-06-29 1626112]

c:\documents and settings\michelliel\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe [2009-2-4 845584]

c:\documents and settings\daniel\Start Menu\Programs\Startup\
Microsoft Office Outlook 2007.lnk - c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe [2009-2-4 845584]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-4-6 147456]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-6 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2/25/2009 5:06 PM 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2/4/2009 8:17 AM 203280]
R2 UNS;Intel® Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [2/3/2009 2:16 PM 2521624]
.
Contents of the 'Scheduled Tasks' folder

2009-11-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-06-18 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 1200 series5E771253C1676EBED677BF361FDFC537825E15B8233791596.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 08:52]

2009-02-04 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-04 19:22]

2009-02-04 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-02-04 19:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://groups.yahoo.com/group/solid_rock_climbers/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-23 16:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\daniel\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-11-23 16:18
ComboFix-quarantined-files.txt 2009-11-24 00:18
ComboFix2.txt 2009-11-23 02:43

Pre-Run: 183,424,647,168 bytes free
Post-Run: 183,397,003,264 bytes free

- - End Of File - - 822A05030CCE3193EE4DB2036F34B308

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:05:04 PM

Posted 24 November 2009 - 02:54 PM

Hi,

how are those redirects?

Please run a new scan with gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 notthecraw

notthecraw
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:08:04 AM

Posted 24 November 2009 - 04:11 PM

Hi myrti,

Thank you for all the help :(

The redirects seem to have stopped. Strangely, Java is still missing on my Control Panel, so I'm wondering if it's hiding out.

I do have my HD partitioned and we only dealt with the C: drive; should we involve my data drive (X:) as well?

Here is the gmer log:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-24 13:06:15
Windows 5.1.2600 Service Pack 3
Running: ch9i0hne.exe; Driver: C:\DOCUME~1\daniel\LOCALS~1\Temp\pwtdypoc.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xB585278A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xB5852821]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xB5852738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xB585274C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xB5852835]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xB5852861]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xB58528CF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xB58528B9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xB58527CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xB58528FB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xB585280D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xB5852710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xB5852724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xB585279E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xB5852937]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xB58528A3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xB585288D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xB585284B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xB5852923]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xB585290F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xB5852776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xB5852762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xB5852877]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xB58527F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xB58528E5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xB58527E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xB58527B4]
Code \??\C:\DOCUME~1\daniel\LOCALS~1\Temp\catchme.sys pIofCallDriver
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP B58527B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP B585278E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP B58527CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP B58527E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP B58527A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP B5852714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP B5852728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP B5852766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP B5852750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP B585273C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP B585277A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP B58527FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP B5852891 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetValueKey 80621D38 7 Bytes JMP B585287B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP B58528E9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP B58528A7 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP B585284F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateKey 806237B2 5 Bytes JMP B5852825 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP B5852839 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP B5852865 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 7 Bytes JMP B58528D3 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP B58528BD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP B5852811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP B585293B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP B5852913 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP B5852927 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP B58528FF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB972E380, 0x2FF527, 0xE8000020]
? C:\DOCUME~1\daniel\LOCALS~1\Temp\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00B80000
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00B80FA0
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00B80FBB
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00B80095
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00B80084
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00B8004E
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00B80F72
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00B80F8F
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00B800E6
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00B80F4D
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00B800F7
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00B8005F
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00B80011
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00B800B0
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00B80033
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00B80022
.text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00B800CB
.text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00B70FAF
.text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00B70036
.text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00B70FC0
.text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00B70000
.text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00B70F83
.text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00B70FE5
.text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00B70025
.text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00B70F94
.text C:\WINDOWS\system32\svchost.exe[456] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00B60F97
.text C:\WINDOWS\system32\svchost.exe[456] msvcrt.dll!system 77C293C7 5 Bytes JMP 00B60FA8
.text C:\WINDOWS\system32\svchost.exe[456] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00B60022
.text C:\WINDOWS\system32\svchost.exe[456] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00B60000
.text C:\WINDOWS\system32\svchost.exe[456] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00B60FC3
.text C:\WINDOWS\system32\svchost.exe[456] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00B60011
.text C:\WINDOWS\system32\SearchIndexer.exe[632] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00070065
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 0007004A
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00070F70
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00070F97
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0007002F
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00070F1D
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00070F3A
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00070094
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00070EF1
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 000700A5
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00070FB2
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00070F55
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00070FC3
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00070F0C
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0006000A
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0006006C
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00060FB9
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00060FD4
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00060051
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00060040
.text C:\WINDOWS\system32\services.exe[804] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00060025
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00050F9A
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!system 77C293C7 5 Bytes JMP 00050025
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0005000A
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00050FE3
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00050FB5
.text C:\WINDOWS\system32\services.exe[804] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00050FC6
.text C:\WINDOWS\system32\services.exe[804] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00040FE5
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D60000
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D60F88
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D60F99
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D60073
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D60FB6
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D60FD1
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D60F52
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D6008E
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D600D0
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D60F37
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D600E1
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D60058
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D60011
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D60F6D
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D6003D
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D60022
.text C:\WINDOWS\system32\lsass.exe[816] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D600B5
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00D50051
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00D50FA8
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00D5002C
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00D50011
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00D50FB9
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00D50000
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00D50FCA
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [F5, 88]
.text C:\WINDOWS\system32\lsass.exe[816] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00D50FDB
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00D40F94
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!system 77C293C7 5 Bytes JMP 00D40FAF
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00D40FD4
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00D40FEF
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00D40029
.text C:\WINDOWS\system32\lsass.exe[816] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00D4000C
.text C:\WINDOWS\system32\lsass.exe[816] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00D30FEF
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EE0000
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EE00AB
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EE0090
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EE0073
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EE0062
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EE0FC0
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EE0F83
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EE0F94
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE00FA
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE0F61
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EE0115
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EE0051
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EE001B
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EE0FA5
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EE002C
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EE0FE5
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EE0F72
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00ED0047
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00ED0FB6
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00ED0036
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00ED0025
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00ED0073
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00ED0000
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00ED0FD1
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0D, 89]
.text C:\WINDOWS\system32\svchost.exe[980] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00ED0062
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EC0FAF
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EC0044
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EC0029
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EC0FD4
.text C:\WINDOWS\system32\svchost.exe[980] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EC000C
.text C:\WINDOWS\system32\svchost.exe[980] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00EB0000
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00C40FE5
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00C4005B
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00C40F66
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00C40F77
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00C40F94
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00C40036
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00C40F2E
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00C40080
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00C40EE7
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00C40EF8
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00C40091
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00C40FAF
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00C40FD4
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00C40F55
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00C4001B
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00C4000A
.text C:\WINDOWS\system32\svchost.exe[1048] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00C40F13
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00C30FCA
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00C30F8A
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00C30FE5
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00C3001B
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00C30F9B
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00C30000
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00C30047
.text C:\WINDOWS\system32\svchost.exe[1048] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00C30036
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00C2004C
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!system 77C293C7 5 Bytes JMP 00C2003B
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00C20FD2
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00C20FE3
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00C20FC1
.text C:\WINDOWS\system32\svchost.exe[1048] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00C2000C
.text C:\WINDOWS\system32\svchost.exe[1048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C10000
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 02F00000
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 02F00F85
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 02F00084
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02F00069
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 02F00FAC
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 02F0003D
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 02F000B7
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 02F000A6
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 02F00F54
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 02F000ED
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 02F00108
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 02F00058
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 02F00FDB
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 02F00095
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 02F0002C
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 02F00011
.text C:\WINDOWS\System32\svchost.exe[1088] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 02F000D2
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 02C10036
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 02C10062
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 02C10025
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 02C10014
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 02C10FAF
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 02C10FEF
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 02C10051
.text C:\WINDOWS\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 02C10FCA
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 02C0005F
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!system 77C293C7 5 Bytes JMP 02C00FD4
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 02C00029
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_open 77C2F566 5 Bytes JMP 02C0000C
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 02C00044
.text C:\WINDOWS\System32\svchost.exe[1088] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 02C00FEF
.text C:\WINDOWS\System32\svchost.exe[1088] WS2_32.dll!socket 71AB4211 5 Bytes JMP 02BF0000
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 02BE0FE5
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 02BE0FD4
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 02BE000A
.text C:\WINDOWS\System32\svchost.exe[1088] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 02BE0FB9
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 007B0FE5
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 007B007D
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 007B0062
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 007B0F94
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 007B0FAF
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 007B0047
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 007B0F41
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 007B0F52
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 007B0F15
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 007B00AE
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 007B00C9
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 007B0FC0
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 007B0000
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 007B0F6D
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 007B002C
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 007B0011
.text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 007B0F30
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 007A0FD4
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 007A0076
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 007A0025
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 007A0065
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 007A0FE5
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 007A0040
.text C:\WINDOWS\system32\svchost.exe[1184] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 007A0FB9
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00790FA8
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!system 77C293C7 5 Bytes JMP 0079003D
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00790FDE
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00790000
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00790FC3
.text C:\WINDOWS\system32\svchost.exe[1184] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00790FEF
.text C:\WINDOWS\system32\svchost.exe[1184] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00780FE5
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A00FEF
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A00F7C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A00067
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A0004A
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A00039
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A00FA8
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A000A7
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A0008C
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A000DD
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A000C2
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A000EE
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A00F97
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A00FDE
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A00F61
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A0001E
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A00FCD
.text C:\WINDOWS\system32\svchost.exe[1216] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A00F44
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 009F0FA8
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 009F0F79
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 009F0FB9
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 009F0FCA
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 009F002C
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 009F0FE5
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 009F001B
.text C:\WINDOWS\system32\svchost.exe[1216] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 009F000A
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 009E0064
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!system 77C293C7 5 Bytes JMP 009E0FD9
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 009E0038
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_open 77C2F566 5 Bytes JMP 009E0000
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 009E0049
.text C:\WINDOWS\system32\svchost.exe[1216] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 009E001D
.text C:\WINDOWS\system32\svchost.exe[1216] WS2_32.dll!socket 71AB4211 5 Bytes JMP 009D0000
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00BD0FEF
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00BD0F68
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00BD0F8D
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00BD0F9E
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00BD005B
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00BD0FB9
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00BD0082
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00BD0F3C
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00BD0F0E
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00BD00A7
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00BD0EE9
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00BD0040
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00BD0000
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00BD0F4D
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00BD0FCA
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00BD001B
.text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00BD0F1F
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00930FC3
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 0093006F
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00930014
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00930FDE
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0093005E
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00930FEF
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00930FB2
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [B3, 88] {MOV BL, 0x88}
.text C:\WINDOWS\system32\svchost.exe[1444] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0093002F
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00920027
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!system 77C293C7 5 Bytes JMP 00920F9C
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00920FD2
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00920000
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00920FB7
.text C:\WINDOWS\system32\svchost.exe[1444] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00920FE3
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 0090000A
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 00900FEF
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 00900FD4
.text C:\WINDOWS\system32\svchost.exe[1444] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 00900FC3
.text C:\WINDOWS\system32\svchost.exe[1444] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00910000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00890000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0089009A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00890FA5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00890FB6
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00890069
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00890047
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 008900E3
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 008900D2
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00890F4A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00890F65
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 008900FE
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00890058
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00890FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 008900B5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00890036
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00890025
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00890F8A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00870FA5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] msvcrt.dll!system 77C293C7 5 Bytes JMP 0087003A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00870029
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00870FEF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00870FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 0087000C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00880FAF
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00880F65
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00880FCA
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00880000
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0088002C
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00880FE5
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00880F8A
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [A8, 88] {TEST AL, 0x88}
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00880011
.text C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe[1548] WS2_32.dll!socket 71AB4211 5 Bytes JMP 33D80000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1768] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1768] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A0F55
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A0F70
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F81
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A004A
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A001E
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F1D
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A0065
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A00AC
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A009B
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A00BD
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A002F
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A0FDE
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A0F3A
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A0FA8
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FB9
.text C:\WINDOWS\explorer.exe[1988] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A0080
.text C:\WINDOWS\explorer.exe[1988] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290039
.text C:\WINDOWS\explorer.exe[1988] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290080
.text C:\WINDOWS\explorer.exe[1988] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FDE
.text C:\WINDOWS\explorer.exe[1988] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 0029000A
.text C:\WINDOWS\explorer.exe[1988] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0029006F
.text C:\WINDOWS\explorer.exe[1988] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\explorer.exe[1988] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00290054
.text C:\WINDOWS\explorer.exe[1988] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290FCD
.text C:\WINDOWS\explorer.exe[1988] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0F8B
.text C:\WINDOWS\explorer.exe[1988] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0FA6
.text C:\WINDOWS\explorer.exe[1988] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A000C
.text C:\WINDOWS\explorer.exe[1988] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FEF
.text C:\WINDOWS\explorer.exe[1988] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FB7
.text C:\WINDOWS\explorer.exe[1988] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\explorer.exe[1988] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 002C0FEF
.text C:\WINDOWS\explorer.exe[1988] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 002C000A
.text C:\WINDOWS\explorer.exe[1988] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 002C0025
.text C:\WINDOWS\explorer.exe[1988] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 002C0036
.text C:\WINDOWS\explorer.exe[1988] WS2_32.dll!socket 71AB4211 5 Bytes JMP 017F0000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00270FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00270089
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00270F94
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00270062
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00270051
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00270FB9
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00270F5E
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 002700A6
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00270F21
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00270F32
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00270F10
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00270036
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00270000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00270F6F
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00270FCA
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 32605436 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0027001B
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00270F4D
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00360F8E
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] msvcrt.dll!system 77C293C7 5 Bytes JMP 00360F9F
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00360FC1
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00360FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00360FB0
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00360FD2
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 0037002C
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00370058
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00370011
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00370FE5
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00370F9B
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00370000
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 0037003D
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00370FC0
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 04B90FEF
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 04B90014
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 04B9002F
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 04B90FD4
.text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[3048] WS2_32.dll!socket 71AB4211 5 Bytes JMP 08CA0FEF
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001A0FEF
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001A006E
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001A005D
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001A0F83
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001A0F94
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001A0FAF
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001A0F52
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001A009A
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001A0F08
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001A0F23
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001A0EF7
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001A0036
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001A000A
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001A007F
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001A001B
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001A0FD4
.text C:\WINDOWS\Explorer.EXE[3876] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001A00AB
.text C:\WINDOWS\Explorer.EXE[3876] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00290F9E
.text C:\WINDOWS\Explorer.EXE[3876] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00290F57
.text C:\WINDOWS\Explorer.EXE[3876] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00290FB9
.text C:\WINDOWS\Explorer.EXE[3876] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00290FD4
.text C:\WINDOWS\Explorer.EXE[3876] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00290014
.text C:\WINDOWS\Explorer.EXE[3876] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00290FEF
.text C:\WINDOWS\Explorer.EXE[3876] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00290F68
.text C:\WINDOWS\Explorer.EXE[3876] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [49, 88]
.text C:\WINDOWS\Explorer.EXE[3876] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00290F83
.text C:\WINDOWS\Explorer.EXE[3876] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A0FA1
.text C:\WINDOWS\Explorer.EXE[3876] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0036
.text C:\WINDOWS\Explorer.EXE[3876] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD7
.text C:\WINDOWS\Explorer.EXE[3876] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0000
.text C:\WINDOWS\Explorer.EXE[3876] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0FC6
.text C:\WINDOWS\Explorer.EXE[3876] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A0011
.text C:\WINDOWS\Explorer.EXE[3876] WININET.dll!InternetOpenA 3D953081 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[3876] WININET.dll!InternetOpenW 3D9536B1 5 Bytes JMP 002C0FE5
.text C:\WINDOWS\Explorer.EXE[3876] WININET.dll!InternetOpenUrlA 3D956F5A 5 Bytes JMP 002C0011
.text C:\WINDOWS\Explorer.EXE[3876] WININET.dll!InternetOpenUrlW 3D998439 5 Bytes JMP 002C0FC0
.text C:\WINDOWS\Explorer.EXE[3876] WS2_32.dll!socket 71AB4211 5 Bytes JMP 01A40FEF
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001B000A
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001B0080
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001B006F
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001B0F8B
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001B0FA8
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001B0FCA
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001B009B
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001B0F55
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001B00AC
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001B0F13
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001B0F02
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001B0FB9
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001B0F66
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001B0036
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001B0025
.text C:\WINDOWS\system32\wuauclt.exe[5368] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001B0F2E
.text C:\WINDOWS\system32\wuauclt.exe[5368] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002A005D
.text C:\WINDOWS\system32\wuauclt.exe[5368] msvcrt.dll!system 77C293C7 5 Bytes JMP 002A0042
.text C:\WINDOWS\system32\wuauclt.exe[5368] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002A0FD2
.text C:\WINDOWS\system32\wuauclt.exe[5368] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002A0FE3
.text C:\WINDOWS\system32\wuauclt.exe[5368] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002A0027
.text C:\WINDOWS\system32\wuauclt.exe[5368] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002A000C
.text C:\WINDOWS\system32\wuauclt.exe[5368] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B0039
.text C:\WINDOWS\system32\wuauclt.exe[5368] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0FB2
.text C:\WINDOWS\system32\wuauclt.exe[5368] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B0FDE
.text C:\WINDOWS\system32\wuauclt.exe[5368] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B000A
.text C:\WINDOWS\system32\wuauclt.exe[5368] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0FC3
.text C:\WINDOWS\system32\wuauclt.exe[5368] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0FEF
.text C:\WINDOWS\system32\wuauclt.exe[5368] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 002B006F
.text C:\WINDOWS\system32\wuauclt.exe[5368] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0054
.text C:\WINDOWS\system32\wuauclt.exe[5368] WS2_32.dll!socket 71AB4211 5 Bytes JMP 003C0000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users