Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with ESQUL Trojan &/or NTOSKRNL-HOOK rootkit


  • This topic is locked This topic is locked
14 replies to this topic

#1 delldummy99

delldummy99

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 15 November 2009 - 11:15 PM

Hi,
I was referred here by a moderator in the Am I infected? boards (username: garmanma). McAfee kept detecting NTOSKRNL-HOOK every time I ran it, and Root Repeal has detected ESQULserv.sys Trojan downloader. I do not know how to remove any of this stuff. BTW, I have uninstalled Vuze and I will never use P2P again! It's not worth it! My IE7 does not work anymore (crashes on startup), and I get blue screens when activating my xBOX 360 controller. I also cannot use Windows or iTunes to burn CDs/DVDs anymore (only Roxio works). Thanks in advance for your help! :( :(

DDS (Ver_09-10-26.01) - NTFSx86
Run by Ryan at 22:16:31.04 on 15/11/2009
Internet Explorer: 8.0.6001.18828
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3069.1419 [GMT -5:00]

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}

============== Running Processes ===============

C:Windowssystem32wininit.exe
C:Windowssystem32lsm.exe
C:Windowssystem32svchost.exe -k DcomLaunch
C:Windowssystem32svchost.exe -k rpcss
C:WindowsSystem32svchost.exe -k secsvcs
C:WindowsSystem32svchost.exe -k LocalServiceNetworkRestricted
C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted
C:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exe
C:Windowssystem32svchost.exe -k netsvcs
C:Windowssystem32svchost.exe -k GPSvcGroup
C:Windowssystem32SLsvc.exe
C:Windowssystem32svchost.exe -k LocalService
C:Windowssystem32svchost.exe -k NetworkService
C:WindowsSystem32spoolsv.exe
C:Windowssystem32svchost.exe -k LocalServiceNoNetwork
C:Windowssystem32Dwm.exe
C:Windowssystem32taskeng.exe
C:Windowssystem32taskeng.exe
C:Program FilesIObitAdvanced SystemCare 3AWC.exe
C:Windowsehomeehtray.exe
C:Windowsehomeehmsas.exe
C:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
C:Program FilesIntelIntel Matrix Storage ManagerIaantmon.exe
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:Program FilesMcAfeeSiteAdvisorMcSACore.exe
c:PROGRA~1COMMON~1mcafeemcproxymcproxy.exe
C:Windowssystem32rundll32.exe
C:Program FilesCommon FilesLogiShrdLVCOMSERLVComSer.exe
C:PROGRA~1McAfeeVIRUSS~1mcshield.exe
C:Program FilesMcAfeeMPFMPFSrv.exe
C:Windowssystem32PnkBstrA.exe
C:Windowssystem32svchost.exe -k NetworkServiceNetworkRestricted
C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxWatch9.exe
C:Windowssystem32svchost.exe -k imgsvc
C:WindowsSystem32svchost.exe -k WerSvcGroup
C:Windowssystem32SearchIndexer.exe
C:Windowsehomeehsched.exe
C:Program FilesCommon FilesRoxio Shared9.0SharedCOMRoxMediaDB9.exe
C:WindowsehomeehRecvr.exe
C:Program FilesWindows Media Playerwmpnscfg.exe
C:Program FilesWindows Media Playerwmpnetwk.exe
C:PROGRA~1McAfeeVIRUSS~1mcsysmon.exe
C:PROGRA~1McAfeeMSCmcmscsvc.exe
c:program filescommon filesmcafeemnamcnasvc.exe
c:PROGRA~1mcafee.comagentmcagent.exe
C:Windowsehomeehshell.exe
C:Program FilesMozilla Firefoxfirefox.exe
C:WindowsehomeehRec.exe
C:Windowsexplorer.exe
C:Windowssystem32SearchProtocolHost.exe
C:Windowssystem32SearchFilterHost.exe
C:UsersRyanDesktopdds.scr
C:Windowssystem32conime.exe
C:Windowssystem32wbemwmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = blank.htm
uSearch Bar = Preserve
uStart Page = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3070619
uWindow Title = Internet Explorer provided by Dell
mStart Page = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3070619
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:program filesadobeacrobat 7.0activexAcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:program filesjavajre1.6.0binssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:program filesmcafeevirusscanscriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:program filescommon filesmicrosoft sharedwindows liveWindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:program filesgooglegoogletoolbarnotifier5.1.1309.15642swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:progra~1mcafeesitead~1mcieplg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:program filesgooglegoogle toolbarcomponentfastsearch_A8904FB862BD9564.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:program filesbaeBAE.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:progra~1mcafeesitead~1mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
uRun: [ehTray.exe] c:windowsehomeehTray.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:program filesjavajre1.6.0binssv.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
TCP: NameServer = 85.255.112.149,85.255.112.214
TCP: {3128F9B9-C3EC-4DF3-ABFB-E9DABC767F83} = 85.255.112.149,85.255.112.214
TCP: {AD63F258-3A8E-4B19-A200-5704ACFA1127} = 209.91.128.11 204.187.88.10
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:program filesgooglegoogle toolbarcomponentfastsearch_A8904FB862BD9564.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:progra~1mcafeesitead~1McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:progra~1common~1skypeSKYPE4~1.DLL
AppInit_DLLs: c:progra~1googlegoogle~2GOEC62~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:usersryanappdataroamingmozillafirefoxprofilest1vuiha8.default
FF - component: c:program filesmcafeesiteadvisorcomponentsMcFFPlg.dll
FF - plugin: c:program filesgoogleupdate1.2.183.13npGoogleOneClick8.dll
FF - plugin: c:program filesjavajre1.6.0binnpjava11.dll
FF - plugin: c:program filesjavajre1.6.0binnpjava12.dll
FF - plugin: c:program filesjavajre1.6.0binnpjava13.dll
FF - plugin: c:program filesjavajre1.6.0binnpjava14.dll
FF - plugin: c:program filesjavajre1.6.0binnpjava32.dll
FF - plugin: c:program filesjavajre1.6.0binnpjpi160.dll
FF - plugin: c:program filesjavajre1.6.0binnpoji610.dll
FF - plugin: c:program filesvistacodecpackqtpluginsnpqtplugin.dll
FF - plugin: c:program filesvistacodecpackqtpluginsnpqtplugin2.dll
FF - plugin: c:program filesvistacodecpackqtpluginsnpqtplugin3.dll
FF - plugin: c:program filesvistacodecpackqtpluginsnpqtplugin4.dll
FF - plugin: c:program filesvistacodecpackqtpluginsnpqtplugin5.dll
FF - plugin: c:program filesvistacodecpackqtpluginsnpqtplugin6.dll
FF - plugin: c:program filesvistacodecpackqtpluginsnpqtplugin7.dll
FF - plugin: c:program filesvistacodecpackrmbrowserpluginsnppl3260.dll
FF - plugin: c:program filesvistacodecpackrmbrowserpluginsnprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:windowsmicrosoft.netframeworkv3.5windows presentation foundationdotnetassistantextension

---- FIREFOX POLICIES ----
c:program filesmozilla firefoxgreprefssecurity-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R2 SSPORT;SSPORT;c:windowssystem32driversSSPORT.SYS [2007-7-8 5120]

=============== Created Last 30 ================

2009-11-13 07:24:29 0 d-----w- C:92330BB3
2009-11-11 03:51:58 2036736 ----a-w- c:windowssystem32win32k.sys
2009-11-11 03:51:49 355328 ----a-w- c:windowssystem32WSDApi.dll
2009-11-05 17:23:25 0 d-----w- c:program filesWindows Portable Devices
2009-11-05 17:23:18 0 ---ha-w- c:windowssystem32driversMsft_User_WpdMtpDr_01_07_00.Wdf
2009-11-05 17:23:09 0 ---ha-w- c:windowssystem32driversMsft_User_WpdFs_01_07_00.Wdf
2009-11-05 11:38:51 30208 ----a-w- c:windowssystem32WPDShextAutoplay.exe
2009-11-05 11:37:20 4096 ----a-w- c:windowssystem32oleaccrc.dll
2009-11-05 11:37:19 555520 ----a-w- c:windowssystem32UIAutomationCore.dll
2009-11-05 11:37:19 234496 ----a-w- c:windowssystem32oleacc.dll
2009-11-05 02:11:30 1638912 ----a-w- c:windowssystem32mshtml.tlb
2009-10-27 19:11:20 310784 ----a-w- c:windowssystem32unregmp2.exe
2009-10-27 19:11:19 8147456 ----a-w- c:windowssystem32wmploc.DLL
2009-10-21 05:22:15 2421760 ----a-w- c:windowssystem32wucltux.dll
2009-10-21 05:21:33 87552 ----a-w- c:windowssystem32wudriver.dll
2009-10-21 05:21:24 33792 ----a-w- c:windowssystem32wuapp.exe
2009-10-21 05:21:24 171608 ----a-w- c:windowssystem32wuwebv.dll

==================== Find3M ====================

2009-11-15 19:47:30 0 ----a-w- c:windowssystem32driverslvuvc.hs
2009-11-05 17:23:21 665600 ----a-w- c:windowsinfdrvindex.dat
2009-11-05 17:23:21 51200 ----a-w- c:windowsinfinfpub.dat
2009-11-05 17:23:21 143360 ----a-w- c:windowsinfinfstrng.dat
2009-11-05 17:23:21 143360 ----a-w- c:windowsinfinfstor.dat
2009-11-03 19:57:18 8774 ----a-w- c:usersryanappdataroamingwklnhst.dat
2009-11-03 01:42:06 195456 ------w- c:windowssystem32MpSigStub.exe
2009-10-01 01:02:17 2537472 ----a-w- c:windowssystem32wpdshext.dll
2009-10-01 01:02:04 334848 ----a-w- c:windowssystem32PortableDeviceApi.dll
2009-10-01 01:02:02 87552 ----a-w- c:windowssystem32WPDShServiceObj.dll
2009-10-01 01:02:00 31232 ----a-w- c:windowssystem32BthMtpContextHandler.dll
2009-10-01 01:01:59 546816 ----a-w- c:windowssystem32wpd_ci.dll
2009-10-01 01:01:59 160256 ----a-w- c:windowssystem32PortableDeviceTypes.dll
2009-10-01 01:01:56 60928 ----a-w- c:windowssystem32PortableDeviceConnectApi.dll
2009-10-01 01:01:56 350208 ----a-w- c:windowssystem32WPDSp.dll
2009-10-01 01:01:56 196608 ----a-w- c:windowssystem32PortableDeviceWMDRM.dll
2009-10-01 01:01:56 100864 ----a-w- c:windowssystem32PortableDeviceClassExtension.dll
2009-10-01 01:01:54 81920 ----a-w- c:windowssystem32wpdbusenum.dll
2009-10-01 01:01:54 40448 ----a-w- c:windowssystem32driversWpdUsb.sys
2009-10-01 01:01:50 226816 ----a-w- c:windowssystem32WpdMtp.dll
2009-10-01 01:01:49 61952 ----a-w- c:windowssystem32WpdMtpUS.dll
2009-10-01 01:01:49 33280 ----a-w- c:windowssystem32WpdConns.dll
2009-09-25 02:10:10 974848 ----a-w- c:windowssystem32WindowsCodecs.dll
2009-09-25 02:07:08 189440 ----a-w- c:windowssystem32WindowsCodecsExt.dll
2009-09-25 02:04:32 321024 ----a-w- c:windowssystem32PhotoMetadataHandler.dll
2009-09-25 01:49:22 1554432 ----a-w- c:windowssystem32xpsservices.dll
2009-09-25 01:48:08 351232 ----a-w- c:windowssystem32XpsPrint.dll
2009-09-25 01:38:29 847360 ----a-w- c:windowssystem32OpcServices.dll
2009-09-25 01:36:13 280064 ----a-w- c:windowssystem32XpsGdiConverter.dll
2009-09-25 01:35:31 135680 ----a-w- c:windowssystem32XpsRasterService.dll
2009-09-25 01:33:25 195584 ----a-w- c:windowssystem32dxdiagn.dll
2009-09-25 01:33:15 829440 ----a-w- c:windowssystem32d3d10warp.dll
2009-09-25 01:33:01 369664 ----a-w- c:windowssystem32WMPhoto.dll
2009-09-25 01:32:59 252928 ----a-w- c:windowssystem32dxdiag.exe
2009-09-25 01:31:53 519680 ----a-w- c:windowssystem32d3d11.dll
2009-09-25 01:31:26 486912 ----a-w- c:windowssystem32d3d10level9.dll
2009-09-25 01:31:21 161280 ----a-w- c:windowssystem32d3d10_1.dll
2009-09-25 01:31:19 218112 ----a-w- c:windowssystem32d3d10_1core.dll
2009-09-25 01:31:16 1030144 ----a-w- c:windowssystem32d3d10.dll
2009-09-25 01:31:15 828928 ----a-w- c:windowssystem32d2d1.dll
2009-09-25 01:30:23 481792 ----a-w- c:windowssystem32dxgi.dll
2009-09-25 01:30:23 190464 ----a-w- c:windowssystem32d3d10core.dll
2009-09-25 01:27:25 634880 ----a-w- c:windowssystem32driversdxgkrnl.sys
2009-09-25 01:27:04 793088 ----a-w- c:windowssystem32FntCache.dll
2009-09-25 01:27:04 37888 ----a-w- c:windowssystem32cdd.dll
2009-09-25 01:27:04 1064448 ----a-w- c:windowssystem32DWrite.dll
2009-09-24 22:54:55 258048 ----a-w- c:windowssystem32winspool.drv
2009-09-24 22:54:53 667648 ----a-w- c:windowssystem32printfilterpipelinesvc.exe
2009-09-24 22:54:52 26112 ----a-w- c:windowssystem32printfilterpipelineprxy.dll
2009-09-19 02:23:24 37665 ----a-w- c:windowsfontsGlobalUserInterface.CompositeFont
2009-09-10 16:48:01 218624 ----a-w- c:windowssystem32msv1_0.dll
2009-09-10 02:01:02 3023360 ----a-w- c:windowssystem32UIRibbon.dll
2009-09-10 02:00:54 1164800 ----a-w- c:windowssystem32UIRibbonRes.dll
2009-09-10 02:00:36 92672 ----a-w- c:windowssystem32UIAnimation.dll
2009-09-04 11:41:59 60928 ----a-w- c:windowssystem32msasn1.dll
2009-08-29 00:27:49 4240384 ----a-w- c:windowssystem32GameUXLegacyGDFs.dll
2009-08-29 00:14:38 28672 ----a-w- c:windowssystem32Apphlpdm.dll
2009-08-27 05:22:28 916480 ----a-w- c:windowssystem32wininet.dll
2009-08-27 05:17:43 71680 ----a-w- c:windowssystem32iesetup.dll
2009-08-27 05:17:43 109056 ----a-w- c:windowssystem32iesysprep.dll
2009-08-27 03:42:29 133632 ----a-w- c:windowssystem32ieUnatt.exe
2008-09-23 07:35:09 174 --sha-w- c:program filesdesktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:windowsinfperflib0409perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:windowsinfperflib0409perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:windowsinfperflib0000perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:windowsinfperflib0000perfc.dat
2009-08-04 22:30:54 16384 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftfeeds cacheindex.dat
2009-08-04 22:30:54 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistoryhistory.ie5mshist012009080420090805index.dat
2009-08-04 22:24:45 16384 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowshistorylowhistory.ie5index.dat
2009-08-04 22:24:45 32768 --sha-w- c:windowssystem32configsystemprofileappdatalocalmicrosoftwindowstemporary internet fileslowcontent.ie5index.dat
2009-08-04 22:24:45 16384 --sha-w- c:windowssystem32configsystemprofileappdataroamingmicrosoftwindowscookieslowindex.dat
2009-08-04 22:30:54 16384 --sha-w- c:windowssystem32configsystemprofileappdataroamingmicrosoftwindowsiecompatcacheindex.dat
2009-08-04 22:32:38 32768 --sha-w- c:windowssystem32configsystemprofileappdataroamingmicrosoftwindowsprivacieindex.dat
2007-06-19 06:17:56 8192 --sha-w- c:windowsusersdefaultNTUSER.DAT

============= FINISH: 22:17:41.68 ===============

The moderator on the Am I infected? board also had me run a Win32KDiag so I've attached that to this post.

Topic referenced is here: http://www.bleepingcomputer.com/forums/t/270938/mcafee-cannot-remove-ntoskrnl-hook-rootkit-trojan/ ~ OB

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 15 November 2009 - 11:34 PM.


BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:20 AM

Posted 24 November 2009 - 04:40 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
  • Please download OTL from following mirror:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 delldummy99

delldummy99
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 24 November 2009 - 07:47 PM

I tried to download OTL and McAfee blocked it - it thinks that OTL is a Trojan (Artemis something or other). I read on Geeks to Go that this is a false positive, so I tried to download it again (ignoring McAfee's recommendation). This time a window popped up saying I don't have permission to save it to the desktop. I hope that I didn't just acquire some more spyware by performing these actions!!?? Help!

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:20 AM

Posted 24 November 2009 - 09:32 PM

Hi,

OTL is not malware, it may however be, that something is blocking the download.

Some anti virus programs have started to block the OTL mirror for reasons unknown to me. The site and the downloaded file are clean and trustworthy.
In fact geekstogo.com is a big and known anti-malware community just like bleepingcomputer.com and the author of OTL, OldTimer is a well respected member of our and other forums. The link I gave you is the official mirror for it.
If you want to try a different download location please try the following link: alternative mirror.

This link usually is not blocked by anti virus programs, so please let me know if you are having trouble with that link as well.

Please also try to rename otl.exe to runme.com before saving it on your desktop.

Let me know if you are able to run OTL with these modifications.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#5 delldummy99

delldummy99
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 24 November 2009 - 11:08 PM

Thank you so much for the reply. I knew if I was patient that you guys would reply to my initial post.

It was the McAfee firewall that was preventing the download, so OTL worked after I disabled that. I did download combofix (as you'll see in the scan) after reading an earlier forum (prior to subscribing to bleepingcomputer.com), but I have NEVER run combofix, nor do I plan to unless instructed to.

My initial problems were:
1) Internet explorer crashing on startup 100% of the time
2) my xBOX 360 controller causing blue screen shutdowns when activated (fixed by uninstalling and reinstalling driver - but then the problem would recur)
3) unable to burn CDs/DVDs in windows or iTunes (only Roxio worked)
4) McAfee would find NTOSKRNL-HOOK every day and say that it had removed it, but it would be back again on the next scan.

Prior to posting on bleepingcomputer.com, I ran the secured 2K CD (from a posting on the McAfee boards), which is basically McAfee from a boot CD. My IE8 now works again. When running McAfee from the OS, it found NTOSKRL-HOOK one more time, then it hasn't found it since.

After joining bleepingcomputer.com, username: garmanma had me run root repeal, which detected ESQUL Trojan downloader. I also ran a Kaspersky scan, which found a Trojan downloader infected Raffi Mp3 (deleted now).


Here's the OTL.txt file:

OTL logfile created on: 24/11/2009 10:41:32 PM - Run 1
OTL by OldTimer - Version 3.1.8.0 Folder = C:\Users\Ryan\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.51 Gb Available Physical Memory | 75.45% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.03 Gb Total Space | 56.19 Gb Free Space | 19.51% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.37 Gb Free Space | 53.68% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE-PC
Current User Name: Ryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/11/24 22:39:56 | 00,529,920 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\runme.com
PRC - [2009/11/05 23:25:48 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/09/17 13:29:04 | 00,645,328 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/15 09:23:54 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/07/26 16:44:34 | 03,883,856 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\msnmsgr.exe
PRC - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/06/30 08:55:40 | 02,329,224 | ---- | M] (IObit) -- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2009/04/11 01:27:36 | 02,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2008/04/06 15:00:31 | 00,066,872 | ---- | M] () -- C:\Windows\System32\PnkBstrA.exe
PRC - [2008/01/19 02:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe
PRC - [2008/01/19 02:33:39 | 00,202,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2008/01/19 02:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehrecvr.exe
PRC - [2008/01/19 02:33:09 | 00,125,952 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehtray.exe
PRC - [2008/01/19 02:33:09 | 00,037,376 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehmsas.exe
PRC - [2007/05/11 16:30:50 | 00,133,920 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
PRC - [2007/05/11 16:28:56 | 00,187,168 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PRC - [2007/05/11 16:28:56 | 00,187,168 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
PRC - [2006/11/05 11:15:12 | 00,880,640 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
PRC - [2006/11/05 11:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
PRC - [2006/11/02 07:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe
PRC - [2006/09/29 12:38:50 | 00,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe


========== Modules (SafeList) ==========

MOD - [2009/11/24 22:39:56 | 00,529,920 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\runme.com
MOD - [2009/04/11 01:21:38 | 01,686,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\comctl32.dll
MOD - [2007/05/11 16:30:38 | 00,113,440 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcInj.dll


========== Win32 Services (SafeList) ==========

SRV - File not found -- -- (CLTNetCnService)
SRV - File not found -- -- (0199681255043740mcinstcleanup) McAfee Application Installer Cleanup (0199681255043740)
SRV - [2009/10/15 13:17:35 | 00,316,664 | ---- | M] (Valve Corporation) -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2009/09/24 20:27:04 | 00,793,088 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/09/20 08:29:26 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1ca39f66981642f) Google Update Service (gupdate1ca39f66981642f)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/09/15 09:23:54 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/07/13 13:02:50 | 00,542,496 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2009/07/09 23:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/07/09 11:22:18 | 00,144,712 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\program files\common files\mcafee\mna\mcnasvc.exe -- (McNASvc)
SRV - [2009/05/05 14:14:24 | 00,182,768 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/03/29 23:42:14 | 00,066,368 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2009/02/18 13:39:20 | 00,043,904 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2009/02/18 13:38:43 | 00,129,880 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2009/02/18 13:38:42 | 00,879,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2009/02/11 10:06:36 | 00,210,216 | ---- | M] () -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2008/04/06 15:00:31 | 00,066,872 | ---- | M] () -- C:\Windows\System32\PnkBstrA.exe -- (PnkBstrA)
SRV - [2008/01/19 02:38:24 | 00,272,952 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/19 02:33:39 | 00,896,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnetwk.exe -- (WMPNetworkSvc)
SRV - [2008/01/19 02:33:09 | 00,292,352 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehrecvr.exe -- (ehRecvr)
SRV - [2007/06/18 17:41:14 | 01,862,144 | ---- | M] (Google) -- C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager)
SRV - [2007/05/11 16:32:22 | 00,142,112 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe -- (LVSrvLauncher)
SRV - [2007/05/11 16:30:50 | 00,133,920 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe -- (LVPrcSrv)
SRV - [2007/05/11 16:28:56 | 00,187,168 | ---- | M] (Logitech Inc.) -- C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe -- (LVCOMSer)
SRV - [2006/11/07 13:27:02 | 00,070,656 | ---- | M] () -- C:\Program Files\DellSupport\brkrsvc.exe -- (DSBrokerService)
SRV - [2006/11/05 11:15:12 | 00,880,640 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe -- (RoxMediaDB9)
SRV - [2006/11/05 11:13:00 | 00,159,744 | ---- | M] (Sonic Solutions) -- C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- (RoxWatch9)
SRV - [2006/11/02 07:35:29 | 00,131,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehsched.exe -- (ehSched)
SRV - [2006/11/02 07:35:29 | 00,013,312 | ---- | M] (Microsoft Corporation) -- C:\Windows\ehome\ehstart.dll -- (ehstart)
SRV - [2006/09/29 12:38:50 | 00,081,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel®
SRV - [2006/09/14 14:54:34 | 00,073,728 | ---- | M] (MicroVision Development, Inc.) -- C:\Program Files\Common Files\SureThing Shared\stllssvr.exe -- (stllssvr)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)


========== Driver Services (SafeList) ==========

DRV - [2009/09/16 09:22:48 | 00,214,664 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfehidk.sys -- (mfehidk)
DRV - [2009/09/16 09:22:48 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfeavfk.sys -- (mfeavfk)
DRV - [2009/09/16 09:22:48 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfesmfk.sys -- (mfesmfk)
DRV - [2009/09/16 09:22:48 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mfebopk.sys -- (mfebopk)
DRV - [2009/09/16 09:22:14 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\mferkdk.sys -- (mferkdk)
DRV - [2009/07/16 11:32:26 | 00,130,424 | ---- | M] (McAfee, Inc.) -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/04/10 23:42:54 | 00,073,216 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2009/04/08 13:29:52 | 00,056,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\xusb21.sys -- (xusb21)
DRV - [2009/03/19 15:32:48 | 00,023,400 | ---- | M] (GEAR Software Inc.) -- C:\Windows\System32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM)
DRV - [2008/03/27 18:42:09 | 00,011,973 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\Windows\System32\drivers\secdrv.sys -- (secdrv)
DRV - [2008/01/19 00:53:31 | 00,045,696 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\61883.sys -- (61883)
DRV - [2008/01/19 00:53:31 | 00,040,448 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\avc.sys -- (Avc)
DRV - [2008/01/19 00:53:28 | 00,052,608 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\drivers\msdv.sys -- (MSDV)
DRV - [2008/01/18 23:25:05 | 00,220,672 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel®
DRV - [2007/09/17 08:07:00 | 07,624,192 | ---- | M] (NVIDIA Corporation) -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2007/06/19 01:17:56 | 00,020,152 | ---- | M] (VIA Technologies, Inc.) -- C:\Windows\system32\drivers\viaide.sys -- (viaide)
DRV - [2007/06/19 01:17:56 | 00,019,128 | ---- | M] (CMD Technology, Inc.) -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide)
DRV - [2007/06/19 01:17:56 | 00,017,592 | ---- | M] (Acer Laboratories Inc.) -- C:\Windows\system32\drivers\aliide.sys -- (aliide)
DRV - [2007/05/11 19:31:34 | 03,580,832 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\lvuvc.sys -- (LVUVC) Logitech QuickCam Pro 5000(UVC)
DRV - [2007/05/11 19:31:20 | 00,041,888 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2007/05/11 19:30:02 | 01,921,184 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\lvpopflt.sys -- (lvpopflt)
DRV - [2007/05/11 16:30:16 | 00,025,888 | ---- | M] () -- C:\Windows\System32\drivers\LVPr2Mon.sys -- (LVPr2Mon)
DRV - [2007/05/11 16:29:54 | 02,142,752 | ---- | M] (Logitech Inc.) -- C:\Windows\System32\drivers\LVMVdrv.sys -- (LVMVDrv)
DRV - [2007/05/11 16:27:58 | 02,107,808 | ---- | M] () -- C:\Windows\System32\drivers\Lvckap.sys -- (LVcKap)
DRV - [2007/02/08 00:16:26 | 00,647,680 | ---- | M] (SigmaTel, Inc.) -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/01/24 06:20:10 | 00,383,488 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\drivers\atinavrr.sys -- (ATIAVPCI)
DRV - [2006/11/22 08:52:08 | 00,005,120 | ---- | M] (Samsung Electronics) -- C:\Windows\System32\drivers\SSPORT.SYS -- (SSPORT)
DRV - [2006/11/02 04:51:45 | 00,900,712 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300)
DRV - [2006/11/02 04:51:38 | 00,420,968 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx)
DRV - [2006/11/02 04:51:34 | 00,316,520 | ---- | M] (Emulex) -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor)
DRV - [2006/11/02 04:51:32 | 00,297,576 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci)
DRV - [2006/11/02 04:51:25 | 00,235,112 | ---- | M] (ULi Electronics Inc.) -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci)
DRV - [2006/11/02 04:51:25 | 00,232,040 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV)
DRV - [2006/11/02 04:51:00 | 00,147,048 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320)
DRV - [2006/11/02 04:50:45 | 00,115,816 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2)
DRV - [2006/11/02 04:50:41 | 00,112,232 | ---- | M] (VIA Technologies Inc.,Ltd) -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid)
DRV - [2006/11/02 04:50:35 | 00,106,088 | ---- | M] (QLogic Corporation) -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx)
DRV - [2006/11/02 04:50:35 | 00,098,408 | ---- | M] (Promise Technology, Inc.) -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata)
DRV - [2006/11/02 04:50:35 | 00,098,408 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m)
DRV - [2006/11/02 04:50:24 | 00,088,680 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid)
DRV - [2006/11/02 04:50:19 | 00,045,160 | ---- | M] (IBM Corporation) -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960)
DRV - [2006/11/02 04:50:17 | 00,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp)
DRV - [2006/11/02 04:50:16 | 00,071,784 | ---- | M] (Silicon Integrated Systems) -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4)
DRV - [2006/11/02 04:50:13 | 00,040,040 | ---- | M] (NVIDIA Corporation) -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor)
DRV - [2006/11/02 04:50:11 | 00,071,272 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx)
DRV - [2006/11/02 04:50:10 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas)
DRV - [2006/11/02 04:50:10 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2006/11/02 04:50:10 | 00,038,504 | ---- | M] (Silicon Integrated Systems Corp.) -- C:\Windows\system32\drivers\sisraid2.sys -- (SiSRaid2)
DRV - [2006/11/02 04:50:10 | 00,037,480 | ---- | M] (Hewlett-Packard Company) -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs)
DRV - [2006/11/02 04:50:09 | 00,067,688 | ---- | M] (Adaptec, Inc.) -- C:\Windows\system32\drivers\arc.sys -- (arc)
DRV - [2006/11/02 04:50:09 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid)
DRV - [2006/11/02 04:50:07 | 00,035,944 | ---- | M] (Integrated Technology Express, Inc.) -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi)
DRV - [2006/11/02 04:50:05 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS)
DRV - [2006/11/02 04:50:05 | 00,035,944 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx)
DRV - [2006/11/02 04:50:04 | 00,065,640 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC)
DRV - [2006/11/02 04:50:03 | 00,034,920 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3)
DRV - [2006/11/02 04:49:59 | 00,033,384 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x)
DRV - [2006/11/02 04:49:56 | 00,031,848 | ---- | M] (LSI Logic) -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi)
DRV - [2006/11/02 04:49:53 | 00,028,776 | ---- | M] (LSI Logic Corporation) -- C:\Windows\system32\drivers\megasas.sys -- (megasas)
DRV - [2006/11/02 03:25:24 | 00,071,808 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2006/11/02 03:24:47 | 00,011,904 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer)
DRV - [2006/11/02 03:24:46 | 00,005,248 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp)
DRV - [2006/11/02 03:24:45 | 00,013,568 | ---- | M] (Brother Industries, Ltd.) -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo)
DRV - [2006/11/02 03:24:44 | 00,062,336 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm)
DRV - [2006/11/02 03:24:44 | 00,012,160 | ---- | M] (Brother Industries Ltd.) -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm)
DRV - [2006/11/02 02:36:50 | 00,020,608 | ---- | M] (N-trig Innovative Technologies) -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi)
DRV - [2006/11/02 02:36:43 | 02,028,032 | ---- | M] (ATI Technologies Inc.) -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)
DRV - [2006/11/02 02:30:54 | 00,117,760 | ---- | M] (Intel Corporation) -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel®
DRV - [2006/10/05 16:07:28 | 00,004,736 | ---- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys -- (DSproct)
DRV - [2006/09/29 14:59:58 | 00,250,368 | ---- | M] (Intel Corporation) -- C:\Windows\system32\drivers\iastor.sys -- (iaStor)
DRV - [2006/09/27 16:53:22 | 00,036,560 | ---- | M] (Sonic Solutions) -- C:\Windows\System32\Drivers\PxHelp20.sys -- (PxHelp20)
DRV - [2006/09/05 08:33:12 | 00,041,984 | ---- | M] (Samsung Electronics Co., Ltd.) -- C:\Windows\System32\drivers\DGIVECP.SYS -- (DgiVecp)
DRV - [2006/08/17 15:43:52 | 00,007,424 | --S- | M] (Gteko Ltd.) -- C:\Program Files\DellSupport\Drivers\dsunidrv.sys -- (dsunidrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\System32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig/dell?hl=en&cli...amp;ibd=3070619


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1280494866-3057319620-478108040-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKU\S-1-5-21-1280494866-3057319620-478108040-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-1280494866-3057319620-478108040-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKU\S-1-5-21-1280494866-3057319620-478108040-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Secondary Start Pages = [Binary data over 100 bytes]
IE - HKU\S-1-5-21-1280494866-3057319620-478108040-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ig/dell?hl=en&cli...amp;ibd=3070619
IE - HKU\S-1-5-21-1280494866-3057319620-478108040-1000\S-1-5-21-1280494866-3057319620-478108040-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.1
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.5

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/09/18 18:29:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/07/26 01:48:20 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/19 21:50:57 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/05 23:25:50 | 00,000,000 | ---D | M]

[2009/09/19 09:58:56 | 00,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mozilla\Extensions
[2009/09/19 09:58:56 | 00,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/11/24 19:41:37 | 00,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\t1vuiha8.default\extensions
[2009/09/19 09:59:28 | 00,000,000 | ---D | M] -- C:\Users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\t1vuiha8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2009/09/19 09:58:24 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/05 23:25:50 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/11/05 23:25:48 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/05 23:25:48 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2007/04/10 17:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
[2009/11/05 23:25:48 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2007/05/01 23:44:29 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2007/05/01 23:44:29 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2007/05/01 23:44:29 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2007/05/01 23:44:30 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2007/05/01 23:44:31 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
[2007/05/01 23:44:31 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
[2009/08/24 13:45:46 | 00,001,394 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
[2009/08/24 13:45:46 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/08/24 13:45:46 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/08/24 13:45:46 | 00,002,344 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
[2009/08/24 13:45:46 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/08/24 13:45:46 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/08/24 13:45:46 | 00,000,792 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml

O1 HOSTS File: (761 bytes) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll (Google Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll (Google Inc.)
O2 - BHO: (CBrowserHelperObject Object) - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll (Dell Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-1280494866-3057319620-478108040-1000\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1280494866-3057319620-478108040-1000..\Run: [ehTray.exe] C:\Windows\ehome\ehtray.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1280494866-3057319620-478108040-1000..\Run: [msnmsgr] C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-1280494866-3057319620-478108040-1000..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: BindDirectlyToPropertySetStorage = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableInstallerDetection = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableSecureUIAPaths = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableVirtualization = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ValidateAdminCodeSignatures = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: scforceoption = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: FilterAdministratorToken = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableUIADesktopToggle = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_TEXT = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_BITMAP = 2
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_OEMTEXT = 7
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIB = 8
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_PALETTE = 9
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_UNICODETEXT = 13
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\UIPI\Clipboard\ExceptionFormats: CF_DIBV5 = 17
O7 - HKU\S-1-5-21-1280494866-3057319620-478108040-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll (Sun Microsystems, Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/5/b...heckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Java Plug-in 1.5.0_03)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.149,85.255.112.214
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8089.0726.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll ()
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - AppInit_DLLs: (C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL) - C:\Program Files\Google\Google Desktop Search\GoogleDesktopNetwork3.dll (Google)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/18 16:43:36 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{c8f476e4-a0d5-11de-aeb9-b968a73abaee}\Shell - "" = AutoRun
O33 - MountPoints2\{c8f476e4-a0d5-11de-aeb9-b968a73abaee}\Shell\AutoRun\command - "" = F:\AutoLaunch.exe -- File not found
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\Windows\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/11/24 22:39:46 | 00,529,920 | ---- | C] (OldTimer Tools) -- C:\Users\Ryan\Desktop\runme.com
[2009/11/20 03:00:58 | 01,892,184 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_42.dll
[2009/11/20 03:00:58 | 00,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll
[2009/11/18 03:02:05 | 03,786,760 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_37.dll
[2009/11/18 03:02:05 | 01,420,824 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_37.dll
[2009/11/18 03:02:05 | 00,462,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_37.dll
[2009/11/18 03:02:05 | 00,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll
[2009/11/18 03:02:00 | 00,000,000 | ---D | C] -- C:\Windows\System32\xlive
[2009/11/18 03:01:49 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft Games for Windows - LIVE
[2009/11/17 12:55:59 | 00,000,000 | ---D | C] -- C:\Users\Ryan\Tracing
[2009/11/17 12:54:59 | 00,000,000 | ---D | C] -- C:\Program Files\Microsoft
[2009/11/17 12:54:51 | 00,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2009/11/17 12:54:30 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live SkyDrive
[2009/11/17 12:54:13 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Live
[2009/11/17 12:52:32 | 00,000,000 | ---D | C] -- C:\Program Files\Common Files\Windows Live
[2009/11/15 22:23:14 | 00,472,064 | ---- | C] ( ) -- C:\Users\Ryan\Desktop\RootRepeal.exe
[2009/11/13 02:24:29 | 00,000,000 | ---D | C] -- C:\92330BB3
[2009/11/10 22:51:58 | 02,036,736 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2009/11/10 22:51:49 | 00,355,328 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WSDApi.dll
[2009/11/06 10:59:54 | 15,406,728 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xlive.dll
[2009/11/06 10:59:54 | 13,642,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xlivefnt.dll
[2009/11/05 12:23:25 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Portable Devices
[2009/11/05 06:39:35 | 00,092,672 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIAnimation.dll
[2009/11/05 06:39:34 | 03,023,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIRibbon.dll
[2009/11/05 06:39:34 | 01,164,800 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIRibbonRes.dll
[2009/11/05 06:39:14 | 00,634,880 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\dxgkrnl.sys
[2009/11/05 06:39:14 | 00,369,664 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WMPhoto.dll
[2009/11/05 06:39:14 | 00,258,048 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winspool.drv
[2009/11/05 06:39:14 | 00,037,888 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\cdd.dll
[2009/11/05 06:39:13 | 01,554,432 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xpsservices.dll
[2009/11/05 06:39:13 | 01,064,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2009/11/05 06:39:13 | 00,974,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WindowsCodecs.dll
[2009/11/05 06:39:13 | 00,847,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\OpcServices.dll
[2009/11/05 06:39:13 | 00,829,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2009/11/05 06:39:13 | 00,828,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2009/11/05 06:39:13 | 00,793,088 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\FntCache.dll
[2009/11/05 06:39:13 | 00,667,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelinesvc.exe
[2009/11/05 06:39:13 | 00,486,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10level9.dll
[2009/11/05 06:39:13 | 00,351,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsPrint.dll
[2009/11/05 06:39:13 | 00,321,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PhotoMetadataHandler.dll
[2009/11/05 06:39:13 | 00,280,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsGdiConverter.dll
[2009/11/05 06:39:13 | 00,252,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxdiag.exe
[2009/11/05 06:39:13 | 00,195,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxdiagn.dll
[2009/11/05 06:39:13 | 00,190,464 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10core.dll
[2009/11/05 06:39:13 | 00,189,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WindowsCodecsExt.dll
[2009/11/05 06:39:13 | 00,135,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XpsRasterService.dll
[2009/11/05 06:39:13 | 00,026,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\printfilterpipelineprxy.dll
[2009/11/05 06:39:12 | 01,030,144 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10.dll
[2009/11/05 06:39:12 | 00,519,680 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d11.dll
[2009/11/05 06:39:12 | 00,481,792 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\dxgi.dll
[2009/11/05 06:39:12 | 00,218,112 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2009/11/05 06:39:12 | 00,161,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2009/11/05 06:38:51 | 00,030,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WPDShextAutoplay.exe
[2009/11/05 06:38:44 | 00,081,920 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wpdbusenum.dll
[2009/11/05 06:38:44 | 00,031,232 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\BthMtpContextHandler.dll
[2009/11/05 06:38:36 | 00,060,928 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceConnectApi.dll
[2009/11/05 06:38:36 | 00,033,280 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WpdConns.dll
[2009/11/05 06:38:35 | 02,537,472 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wpdshext.dll
[2009/11/05 06:38:35 | 00,546,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wpd_ci.dll
[2009/11/05 06:38:35 | 00,350,208 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WPDSp.dll
[2009/11/05 06:38:35 | 00,334,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceApi.dll
[2009/11/05 06:38:35 | 00,226,816 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WpdMtp.dll
[2009/11/05 06:38:35 | 00,196,608 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceWMDRM.dll
[2009/11/05 06:38:35 | 00,160,256 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceTypes.dll
[2009/11/05 06:38:35 | 00,100,864 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\PortableDeviceClassExtension.dll
[2009/11/05 06:38:35 | 00,087,552 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WPDShServiceObj.dll
[2009/11/05 06:38:35 | 00,061,952 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\WpdMtpUS.dll
[2009/11/05 06:38:35 | 00,040,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\WpdUsb.sys
[2009/11/05 06:37:20 | 00,004,096 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\oleaccrc.dll
[2009/11/05 06:37:19 | 00,555,520 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\UIAutomationCore.dll
[2009/11/05 06:37:19 | 00,234,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\oleacc.dll
[2009/11/04 21:11:31 | 05,939,712 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.dll
[2009/11/04 21:11:30 | 01,638,912 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2009/11/03 15:20:23 | 02,640,155 | -H-- | C] () -- C:\Users\Ryan\AppData\Local\IconCache.db
[2009/11/02 18:05:36 | 00,167,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xliveinstall.dll
[2009/11/02 18:05:34 | 00,071,832 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xliveinstallhost.exe
[2009/10/27 14:11:22 | 10,627,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmp.dll
[2009/10/27 14:11:20 | 00,310,784 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\unregmp2.exe
[2009/10/27 14:11:19 | 08,147,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\wmploc.DLL

========== Files - Modified Within 30 Days ==========

[2009/11/24 22:41:23 | 03,407,872 | -HS- | M] () -- C:\Users\Ryan\ntuser.dat
[2009/11/24 22:39:56 | 00,529,920 | ---- | M] (OldTimer Tools) -- C:\Users\Ryan\Desktop\runme.com
[2009/11/24 22:39:13 | 00,023,133 | ---- | M] () -- C:\Windows\System32\Config.MPF
[2009/11/24 21:46:00 | 00,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2009/11/24 21:26:10 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2009/11/24 21:26:10 | 00,003,696 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2009/11/24 20:43:24 | 00,032,256 | ---- | M] () -- C:\Users\Ryan\Desktop\novtrainingday.doc
[2009/11/24 07:46:00 | 00,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2009/11/23 14:00:26 | 00,000,368 | ---- | M] () -- C:\Windows\tasks\AWC Startup.job
[2009/11/23 01:57:05 | 00,524,288 | -HS- | M] () -- C:\Users\Ryan\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
[2009/11/23 01:57:05 | 00,065,536 | -HS- | M] () -- C:\Users\Ryan\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TM.blf
[2009/11/22 22:24:45 | 02,640,155 | -H-- | M] () -- C:\Users\Ryan\AppData\Local\IconCache.db
[2009/11/21 10:17:57 | 00,703,448 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2009/11/21 10:17:57 | 00,608,270 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2009/11/21 10:17:57 | 00,109,138 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2009/11/19 21:49:08 | 00,002,928 | ---- | M] () -- C:\Users\Ryan\Desktop\KASPERSKY.html
[2009/11/18 22:57:46 | 00,048,128 | ---- | M] () -- C:\Users\Ryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/11/17 23:26:53 | 00,065,536 | ---- | M] () -- C:\Windows\System32\Ikeext.etl
[2009/11/17 23:26:01 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2009/11/17 23:25:59 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2009/11/17 23:25:57 | 00,000,000 | ---- | M] () -- C:\Windows\System32\drivers\lvuvc.hs
[2009/11/17 12:55:31 | 00,000,760 | ---- | M] () -- C:\Users\Ryan\Documents\My Sharing Folders.lnk
[2009/11/17 12:47:15 | 00,001,973 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2009/11/15 22:24:01 | 00,000,000 | ---- | M] () -- C:\Users\Ryan\Desktop\settings.dat
[2009/11/15 22:23:15 | 00,472,064 | ---- | M] ( ) -- C:\Users\Ryan\Desktop\RootRepeal.exe
[2009/11/15 22:21:49 | 00,002,625 | ---- | M] () -- C:\Users\Ryan\Desktop\Attach.zip
[2009/11/15 22:16:04 | 00,523,776 | ---- | M] () -- C:\Users\Ryan\Desktop\dds.scr
[2009/11/15 03:05:38 | 00,000,348 | ---- | M] () -- C:\Windows\tasks\McDefragTask.job
[2009/11/14 23:00:17 | 00,047,616 | ---- | M] () -- C:\Users\Ryan\Desktop\Win32kDiag.exe
[2009/11/12 23:08:48 | 00,000,004 | ---- | M] () -- C:\Windows\System32\ESQULzxspectrum
[2009/11/12 22:21:26 | 24,400,8960 | ---- | M] () -- C:\Users\Public\Desktop\Secured2k-BootCD.ISO
[2009/11/12 14:28:55 | 15,603,7120 | ---- | M] () -- C:\Users\Ryan\Desktop\Create Secured2k BootCD.exe
[2009/11/12 09:46:39 | 03,563,264 | ---- | M] () -- C:\Users\Ryan\Desktop\ComboFix.exe
[2009/11/11 00:06:04 | 00,319,008 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2009/11/06 10:59:54 | 15,406,728 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\xlive.dll
[2009/11/06 10:59:54 | 13,642,888 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\xlivefnt.dll
[2009/11/06 10:58:04 | 00,178,975 | ---- | M] () -- C:\Windows\System32\xlive.dll.cat
[2009/11/05 12:36:21 | 26,768,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\mrt.exe
[2009/11/05 12:23:18 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2009/11/05 12:23:09 | 00,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2009/11/03 14:57:18 | 00,008,774 | ---- | M] () -- C:\Users\Ryan\AppData\Roaming\wklnhst.dat
[2009/11/02 20:42:06 | 00,195,456 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2009/11/02 18:05:36 | 00,167,064 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\xliveinstall.dll
[2009/11/02 18:05:34 | 00,071,832 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\xliveinstallhost.exe
[2009/11/01 00:00:02 | 00,000,350 | ---- | M] () -- C:\Windows\tasks\McQcTask.job
[2009/10/27 04:57:44 | 00,028,472 | ---- | M] () -- C:\Users\Ryan\Desktop\Halloween001.pdf

========== Files Created - No Company Name ==========

[2009/11/24 20:43:23 | 00,032,256 | ---- | C] () -- C:\Users\Ryan\Desktop\novtrainingday.doc
[2009/11/19 21:49:08 | 00,002,928 | ---- | C] () -- C:\Users\Ryan\Desktop\KASPERSKY.html
[2009/11/15 22:24:01 | 00,000,000 | ---- | C] () -- C:\Users\Ryan\Desktop\settings.dat
[2009/11/15 22:21:49 | 00,002,625 | ---- | C] () -- C:\Users\Ryan\Desktop\Attach.zip
[2009/11/15 22:15:53 | 00,523,776 | ---- | C] () -- C:\Users\Ryan\Desktop\dds.scr
[2009/11/14 23:00:13 | 00,047,616 | ---- | C] () -- C:\Users\Ryan\Desktop\Win32kDiag.exe
[2009/11/12 15:04:51 | 24,400,8960 | ---- | C] () -- C:\Users\Public\Desktop\Secured2k-BootCD.ISO
[2009/11/12 13:53:38 | 15,603,7120 | ---- | C] () -- C:\Users\Ryan\Desktop\Create Secured2k BootCD.exe
[2009/11/12 09:45:39 | 03,563,264 | ---- | C] () -- C:\Users\Ryan\Desktop\ComboFix.exe
[2009/11/06 10:58:04 | 00,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/11/05 12:23:18 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
[2009/11/05 12:23:09 | 00,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdFs_01_07_00.Wdf
[2009/11/03 15:20:23 | 02,640,155 | -H-- | C] () -- C:\Users\Ryan\AppData\Local\IconCache.db
[2009/10/27 04:57:44 | 00,028,472 | ---- | C] () -- C:\Users\Ryan\Desktop\Halloween001.pdf
[2009/09/18 18:53:06 | 00,117,248 | ---- | C] () -- C:\Windows\System32\EhStorAuthn.dll
[2009/09/18 18:52:44 | 00,368,640 | ---- | C] () -- C:\Windows\System32\msjetoledb40.dll
[2009/09/13 09:16:13 | 00,000,000 | ---- | C] () -- C:\Windows\OpPrintServer.INI
[2009/06/29 12:21:22 | 00,000,060 | ---- | C] () -- C:\Windows\ka.ini
[2008/09/22 09:35:12 | 00,060,124 | ---- | C] () -- C:\Windows\System32\tcpmon.ini
[2008/04/06 15:57:55 | 00,000,092 | ---- | C] () -- C:\Users\Ryan\AppData\Local\fusioncache.dat
[2008/04/06 15:00:37 | 00,103,736 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\PnkBstrB.exe
[2008/03/29 14:44:38 | 00,000,023 | ---- | C] () -- C:\Windows\BlendSettings.ini
[2008/03/28 22:34:52 | 00,043,520 | ---- | C] () -- C:\Windows\System32\CmdLineExt03.dll
[2007/12/15 09:23:13 | 00,000,196 | ---- | C] () -- C:\Windows\QTW.INI
[2007/12/15 09:20:56 | 00,000,000 | ---- | C] () -- C:\Windows\setup32.INI
[2007/11/28 22:06:07 | 00,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini
[2007/08/09 19:00:38 | 00,008,774 | ---- | C] () -- C:\Users\Ryan\AppData\Roaming\wklnhst.dat
[2007/07/29 10:06:55 | 00,057,126 | ---- | C] () -- C:\Windows\System32\lvcoinst.ini
[2007/07/29 09:50:17 | 00,000,581 | ---- | C] () -- C:\ProgramData\Installer.log
[2007/06/30 22:39:30 | 00,000,000 | ---- | C] () -- C:\Windows\pcfriend.INI
[2007/06/30 19:50:56 | 00,000,680 | ---- | C] () -- C:\Users\Ryan\AppData\Local\d3d9caps.dat
[2007/06/30 17:57:38 | 00,000,331 | ---- | C] () -- C:\Windows\doom3.ini
[2007/06/25 15:42:04 | 00,048,128 | ---- | C] () -- C:\Users\Ryan\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/06/25 15:36:24 | 00,081,208 | ---- | C] () -- C:\Users\Ryan\AppData\Local\GDIPFONTCACHEV1.DAT
[2007/06/03 13:31:28 | 00,010,752 | ---- | C] () -- C:\Windows\System32\ff_vfw.dll
[2007/05/11 16:30:16 | 00,025,888 | ---- | C] () -- C:\Windows\System32\drivers\LVPr2Mon.sys
[2007/05/11 16:27:58 | 02,107,808 | ---- | C] () -- C:\Windows\System32\drivers\Lvckap.sys
[2007/02/05 19:05:26 | 00,000,038 | ---- | C] () -- C:\Windows\AviSplitter.INI
[2006/11/02 07:50:50 | 00,000,174 | -HS- | C] () -- C:\Program Files\desktop.ini
[2006/11/02 07:37:35 | 00,037,665 | ---- | C] () -- C:\Windows\Fonts\GlobalUserInterface.CompositeFont
[2006/11/02 07:37:35 | 00,029,779 | ---- | C] () -- C:\Windows\Fonts\GlobalSerif.CompositeFont
[2006/11/02 07:37:35 | 00,026,489 | ---- | C] () -- C:\Windows\Fonts\GlobalSansSerif.CompositeFont
[2006/11/02 07:37:35 | 00,026,040 | ---- | C] () -- C:\Windows\Fonts\GlobalMonospace.CompositeFont
[2006/11/02 07:35:32 | 00,005,632 | ---- | C] () -- C:\Windows\System32\sysprepMCE.dll
[2006/11/02 05:33:01 | 00,703,448 | ---- | C] () -- C:\Windows\System32\PerfStringBackup.INI
[2006/11/02 05:25:44 | 00,159,744 | ---- | C] () -- C:\Windows\System32\atitmmxx.dll
[2006/11/02 05:24:31 | 00,001,405 | ---- | C] () -- C:\Windows\msdfmap.ini
[2006/11/02 05:23:31 | 00,000,219 | ---- | C] () -- C:\Windows\system.ini
[2006/11/02 05:23:31 | 00,000,144 | ---- | C] () -- C:\Windows\win.ini
[2006/11/02 02:40:29 | 00,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini
[2006/11/02 02:09:45 | 00,027,097 | ---- | C] () -- C:\Windows\System32\country.sys
[2006/11/02 02:09:44 | 00,042,809 | ---- | C] () -- C:\Windows\System32\KEY01.SYS
[2006/11/02 02:09:44 | 00,042,537 | ---- | C] () -- C:\Windows\System32\KEYBOARD.SYS
[2006/11/02 02:09:42 | 00,009,029 | ---- | C] () -- C:\Windows\System32\ANSI.SYS
[2006/11/02 02:09:41 | 00,004,768 | ---- | C] () -- C:\Windows\System32\HIMEM.SYS
[2006/11/02 02:09:40 | 00,029,274 | ---- | C] () -- C:\Windows\System32\NTDOS412.SYS
[2006/11/02 02:09:38 | 00,029,370 | ---- | C] () -- C:\Windows\System32\NTDOS411.SYS
[2006/11/02 02:09:35 | 00,029,146 | ---- | C] () -- C:\Windows\System32\NTDOS404.SYS
[2006/11/02 02:09:31 | 00,029,146 | ---- | C] () -- C:\Windows\System32\NTDOS804.SYS
[2006/11/02 02:09:29 | 00,027,866 | ---- | C] () -- C:\Windows\System32\NTDOS.SYS
[2006/11/02 02:09:26 | 00,035,536 | ---- | C] () -- C:\Windows\System32\NTIO412.SYS
[2006/11/02 02:09:24 | 00,035,776 | ---- | C] () -- C:\Windows\System32\NTIO411.SYS
[2006/11/02 02:09:23 | 00,034,672 | ---- | C] () -- C:\Windows\System32\NTIO404.SYS
[2006/11/02 02:09:22 | 00,034,672 | ---- | C] () -- C:\Windows\System32\NTIO804.SYS
[2006/11/02 02:09:20 | 00,033,952 | ---- | C] () -- C:\Windows\System32\NTIO.SYS
[2006/11/02 01:25:08 | 00,013,312 | ---- | C] () -- C:\Windows\System32\win87em.dll
[2006/09/16 23:36:50 | 00,520,192 | ---- | C] () -- C:\Windows\System32\CddbPlaylist2Roxio.dll
[2006/09/16 23:36:50 | 00,204,800 | ---- | C] () -- C:\Windows\System32\CddbFileTaggerRoxio.dll
[2006/02/25 13:12:34 | 00,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll
[2006/02/25 13:09:38 | 00,774,144 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2005/05/04 19:59:12 | 00,000,000 | ---- | C] () -- C:\Windows\System32\px.ini
< End of report >


Here's the Extras.txt file:

OTL Extras logfile created on: 24/11/2009 10:41:32 PM - Run 1
OTL by OldTimer - Version 3.1.8.0 Folder = C:\Users\Ryan\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18828)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.51 Gb Available Physical Memory | 75.45% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): ?:\pagefile.sys

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 288.03 Gb Total Space | 56.19 Gb Free Space | 19.51% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.37 Gb Free Space | 53.68% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: OFFICE-PC
Current User Name: Ryan
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SystemRoot%\hh.exe" %1
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\iexplore.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1280494866-3057319620-478108040-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SystemRoot%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %windir%\system32\mshtml.dll,PrintHTML "%1" File not found
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Program Files\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"UacDisableNotify" = 1
"InternetSettingsDisableNotify" = 1
"AutoUpdateDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{18AB1A6C-57B5-485E-B1AD-F9A48DF6B4A5}" = lport=2869 | protocol=6 | dir=in | app=system |
"{2BE6E5D0-FEB1-4AA6-A5CD-179D1A2B863D}" = lport=2869 | protocol=6 | dir=in | app=system |
"{AED2046E-5F51-423D-94BA-CA2E77DC8904}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{C1420020-A907-4B65-B65D-BB3862EAAA8A}" = lport=2869 | protocol=6 | dir=in | app=system |
"{CB6AE5CF-CD86-4A4B-80F7-0E7F901E8157}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{CEFF8CDE-A6B6-4428-A530-EC0BEAD185AC}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{04F8212C-4C8B-4CBE-ABC9-216642454B92}" = dir=in | app=c:\program files\msn messenger\livecall.exe |
"{1D83A42E-D526-4FC4-8B2E-CDD187B8E220}" = protocol=17 | dir=in | app=c:\program files\microsoft games\halo 2\halo2.exe |
"{30373D8B-1557-4AD6-8C5C-9E37E497334D}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{33CED5DC-8E8F-49F3-8824-3DAAF13742F3}" = protocol=17 | dir=in | app=c:\program files\limewire\limewire.exe |
"{33F7A8BF-F8BE-443D-A067-0FB4A626507A}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"{3AB75003-F0EB-4CC6-B75E-E9A26AA9A4D8}" = protocol=6 | dir=in | app=c:\program files\limewire\limewire.exe |
"{49AD2F7D-A57E-40CE-9CAD-90645FFC2C2A}" = dir=in | app=c:\program files\windows live\messenger\wlcsdk.exe |
"{72D3F224-A02E-42F1-9E27-B9B1D0C54DDA}" = protocol=6 | dir=in | app=c:\program files\microsoft games\halo 2\halo2.exe |
"{A02812FE-CD41-49F6-9BCA-A5E754189064}" = protocol=17 | dir=in | app=c:\program files\electronic arts\crytek\crysis\bin32\crysis.exe |
"{B3357E2B-E91F-4B69-8895-DB9BF09E6EC2}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{B4D072DD-EC16-4227-B4F8-826212697341}" = protocol=6 | dir=in | app=c:\program files\electronic arts\crytek\crysis\bin32\crysis.exe |
"{B516CC7B-BDAC-4516-9172-9BB6FB0EB35B}" = protocol=17 | dir=in | app=c:\program files\electronic arts\crytek\crysis\bin32\crysisdedicatedserver.exe |
"{C221B289-38B8-4EF5-BA9C-E5613774EE40}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{CB85DF50-CF7B-486F-A765-B88623859432}" = protocol=17 | dir=in | app=c:\windows\system32\pnkbstra.exe |
"{CEAB2ACA-E665-4BE9-88D3-0AF0438234B6}" = dir=in | app=c:\program files\common files\mcafee\mna\mcnasvc.exe |
"{CED1FE98-8CA4-4A07-A362-73DEE0E8DA20}" = dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"{CFD23452-679E-4EA6-9FA9-5C148E932E75}" = protocol=6 | dir=in | app=c:\program files\electronic arts\crytek\crysis\bin32\crysisdedicatedserver.exe |
"{D94DE921-1AD1-488D-AE94-B40C3C32F098}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{DDC7CE3D-C969-4676-AC5C-C1C5DE0B2E73}" = dir=in | app=c:\program files\msn messenger\msnmsgr.exe |
"{E1F1C616-2589-423A-B533-E66F5BE275A6}" = dir=in | app=c:\program files\msn messenger\livecall.exe |
"{F4DAC5DD-5BA4-4664-BA94-543816AF85EA}" = protocol=6 | dir=in | app=c:\windows\system32\pnkbstrb.exe |
"TCP Query User{28982EF4-D82F-4DF3-8AA7-5CEC1FE220ED}C:\program files\limewire\ieembed.exe" = protocol=6 | dir=in | app=c:\program files\limewire\ieembed.exe |
"TCP Query User{3EA01046-6BBA-4313-92C0-47AB2CDB5272}C:\program files\lucasarts\swkotor2\swupdate.exe" = protocol=6 | dir=in | app=c:\program files\lucasarts\swkotor2\swupdate.exe |
"TCP Query User{516FB202-6024-444F-BA3F-3B9212AEBD52}C:\program files\mozilla firefox\firefox.exe" = protocol=6 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"TCP Query User{5ACD3440-60DA-4F3B-8D81-4DFE7F73AD8D}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{6C35D603-3EA9-4871-A529-EDB948C6418B}C:\program files\electronic arts\eadm\core.exe" = protocol=6 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
"TCP Query User{A6A1B304-765B-49A9-A5E5-022F08749F92}C:\program files\vuze\azureus.exe" = protocol=6 | dir=in | app=c:\program files\vuze\azureus.exe |
"TCP Query User{FF8C8FBB-A278-4424-B778-BCC001EE52FD}C:\users\ryan\unreal tournament\system\unrealtournament.exe" = protocol=6 | dir=in | app=c:\users\ryan\unreal tournament\system\unrealtournament.exe |
"UDP Query User{04BEBD4E-74B3-44D9-8060-FD270ABE59B0}C:\program files\vuze\azureus.exe" = protocol=17 | dir=in | app=c:\program files\vuze\azureus.exe |
"UDP Query User{4ED65081-BC0B-46D7-84C6-285DC73E7326}C:\program files\limewire\ieembed.exe" = protocol=17 | dir=in | app=c:\program files\limewire\ieembed.exe |
"UDP Query User{5CEC6F97-9AD4-4D3C-8964-557FEB0C6B79}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{A9A02F4A-4048-48BC-A807-AC8025502F5F}C:\program files\mozilla firefox\firefox.exe" = protocol=17 | dir=in | app=c:\program files\mozilla firefox\firefox.exe |
"UDP Query User{B847B424-9546-4ED6-8A07-0F7B27F71A72}C:\program files\lucasarts\swkotor2\swupdate.exe" = protocol=17 | dir=in | app=c:\program files\lucasarts\swkotor2\swupdate.exe |
"UDP Query User{BD4A0224-8D84-4922-A9D7-4B13B5B5355D}C:\program files\electronic arts\eadm\core.exe" = protocol=17 | dir=in | app=c:\program files\electronic arts\eadm\core.exe |
"UDP Query User{D788984B-386B-4552-B938-7B52ED3E654F}C:\users\ryan\unreal tournament\system\unrealtournament.exe" = protocol=17 | dir=in | app=c:\users\ryan\unreal tournament\system\unrealtournament.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{000E79B7-E725-4F01-870A-C12942B7F8E4}" = Crysis®
"{00C5F4F4-62F9-40D7-8000-AD8A9CD0C669}" = Microsoft Games for Windows - LIVE Redistributable
"{0394CDC8-FABD-4ed8-B104-03393876DFDF}" = Roxio Creator Tools
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0CA38F52-F0FA-4B9F-8A36-EC8A9609FBBC}" = Halo 2 for Windows Vista
"{0D397393-9B50-4c52-84D5-77E344289F87}" = Roxio Creator Data
"{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}" = Dell System Customization Wizard
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2A9A40C7-6670-4D5F-8F41-D12E2E08B48B}" = Star Wars®: Knights of the Old Republic ™
"{2C9EE786-1DDB-4C98-8FA4-B1B9B5A66B77}" = Microsoft Games for Windows - LIVE
"{30465B6C-B53F-49A1-9EBA-A3F187AD502E}" = Roxio Update Manager
"{3248F0A8-6813-11D6-A77B-00B0D0150030}" = J2SE Runtime Environment 5.0 Update 3
"{3248F0A8-6813-11D6-A77B-00B0D0160000}" = Java™ SE Runtime Environment 6
"{35725FBC-A136-4A46-9F29-091759D9BB93}" = MVision
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}" = Sonic Activation Module
"{36CDA33B-909B-4719-97D1-C4B99309BDC7}" = ATI Parental Control & Encoder
"{3921A67A-5AB1-4E48-9444-C71814CF3027}" = VCRedistSetup
"{398AB469-77FC-4935-820B-D419388C0A6A}" = LEGO® Batman™
"{3D374523-CFDE-461A-827E-2A102E2AB365}" = Star Wars Battlefront II
"{3EE33958-7381-4E7B-A4F3-6E43098E9E9C}" = URL Assistant
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{578FA426-47C0-4A3F-98A4-01ACD26B7556}" = LEGO Star Wars II
"{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}" = Skype™ 3.2
"{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}" = User's Guides
"{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}" = Roxio Creator Copy
"{629F65FB-7F3C-4D66-A1C0-20722744B7B6}" = Star Wars® Knights of the Old Republic® II: The Sith Lords™
"{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}" = Roxio Express Labeler
"{66F0AC35-4805-44BC-A3D4-347D4196F9B3}" = Microsoft Xbox 360 Accessories 1.1
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7353BAE6-5E49-46C4-A9B5-8A269A313789}" = Crysis WARHEAD®
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7EFA5E6F-74F7-4AFB-8AEA-AA790BD3A76D}" = DellSupport
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{83FFCFC7-88C6-41c6-8752-958A45325C82}" = Roxio Creator Audio
"{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}" = Roxio Creator BDAV Plugin
"{8E1AB809-F821-4F41-8431-44A11ED1EDBA}" = TVT7Diag
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{9A2F0A59-B202-4D2A-9343-A7E5ACE852B7}" = JSWPFCom
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A7AA93B6-6909-4073-B4EC-45CCDEFD4665}" = NHL® 08
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A943CC79-CC0E-4F74-B613-EAB418F043AD}" = JSWorldKGMain
"{AC76BA86-7AD7-1033-7B44-A71000000002}" = Adobe Reader 7.1.0
"{B2EB23D7-8AA5-457F-82B8-4F60321A9CC7}" = JSWPFGradeK
"{BEF726DD-4037-4214-8C6A-E625C02D2870}" = Logitech Audio Echo Cancellation Component
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}" = Roxio Creator DE
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D639085F-4B6E-4105-9F37-A0DBB023E2FB}" = Roxio MyDVD DE
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{E280923D-C5D9-4728-8C79-AC9A0DC75875}" = BioShock
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}" = Doom 3
"{EFA2BBEB-CF93-493B-904B-1B970B8DFAB6}" = Logitech QuickCam
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F9FD80CE-0448-4D4F-8BCD-77FC514C3F99}" = Vista Codec Package
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Crysis WARHEAD®" = Crysis WARHEAD®
"EPSON Scanner" = EPSON Scan
"Google Chrome" = Google Chrome
"Google Desktop" = Google Desktop
"Guitar Pro 5_is1" = Guitar Pro 5.2
"Halo 2" = Halo 2 for Windows Vista
"InstallShield_{398AB469-77FC-4935-820B-D419388C0A6A}" = LEGO® Batman™
"InstallShield_{578FA426-47C0-4A3F-98A4-01ACD26B7556}" = LEGO Star Wars II
"InstallShield_{A943CC79-CC0E-4F74-B613-EAB418F043AD}" = JSWorldKGMain
"InstallShield_{EEFB15EB-FE8B-47DF-A496-1C4D1420294A}" = Doom 3
"JS World Kindergarten" = JS World Kindergarten
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSC" = McAfee SecurityCenter
"NVIDIA Drivers" = NVIDIA Drivers
"Picasa2" = Picasa 2
"PunkBusterSvc" = PunkBuster Services
"QcDrv" = Logitech® Camera Driver
"Quick StartUp_is1" = Quick StartUp 2.1
"Samsung ML-1200 Series" = Samsung ML-1200 Series
"Steam App 13210" = Unreal Tournament 3
"Steam App 220" = Half-Life 2
"Steam App 340" = Half-Life 2: Lost Coast
"Steam App 380" = Half-Life 2: Episode One
"Steam App 400" = Portal
"Steam App 420" = Half-Life 2: Episode Two
"Steam App 440" = Team Fortress 2
"The Cat in the Hat" = The Cat in the Hat
"Unofficial Oblivion Patch_is1" = Unofficial Oblivion Patch v3.2.0
"Unofficial Shivering Isles Patch_is1" = Unofficial Shivering Isles Patch v1.4.0
"VLC media player" = VLC media player 0.9.2
"Winamp" = Winamp
"Windows Essentials Media Codec Pack" = Windows Essentials Media Codec Pack 2.3d
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1280494866-3057319620-478108040-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{9863F141-7A33-4c9a-A5F2-96996461B216}" = KODAK EASYSHARE Gallery Easy Upload, v2.1

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 10/06/2008 10:00:05 PM | Computer Name = Office-PC | Source = RasClient | ID = 20227
Description =

Error - 10/06/2008 10:00:06 PM | Computer Name = Office-PC | Source = RasClient | ID = 20227
Description =

Error - 11/06/2008 1:18:33 AM | Computer Name = Office-PC | Source = RasClient | ID = 20227
Description =

Error - 11/06/2008 1:20:10 AM | Computer Name = Office-PC | Source = RasClient | ID = 20227
Description =

Error - 13/06/2008 1:30:10 AM | Computer Name = Office-PC | Source = Application Hang | ID = 1002
Description = The program wmplayer.exe version 11.0.6000.6344 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Problem Reports and Solutions control panel. Process
ID: 1340 Start Time: 01c8cd1598128047 Termination Time: 52

Error - 14/06/2008 7:56:29 AM | Computer Name = Office-PC | Source = VSS | ID = 12310
Description =

Error - 14/06/2008 7:56:29 AM | Computer Name = Office-PC | Source = VSS | ID = 12298
Description =

Error - 14/06/2008 7:33:54 PM | Computer Name = Office-PC | Source = Application Error | ID = 1000
Description = Faulting application Oblivion.exe, version 1.1.0.425, time stamp 0x444e8718,
faulting module Oblivion.exe, version 1.1.0.425, time stamp 0x444e8718, exception
code 0xc0000005, fault offset 0x00314a99, process id 0x1324, application start time
0x01c8ce6f07e3c30d.

Error - 14/06/2008 11:11:59 PM | Computer Name = Office-PC | Source = RasClient | ID = 20227
Description =

Error - 16/06/2008 12:54:56 AM | Computer Name = Office-PC | Source = RasClient | ID = 20227
Description =

[ System Events ]
Error - 15/11/2009 3:47:26 PM | Computer Name = Office-PC | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 15/11/2009 3:49:13 PM | Computer Name = Office-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 16/11/2009 7:55:00 AM | Computer Name = Office-PC | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 16/11/2009 7:55:08 AM | Computer Name = Office-PC | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 16/11/2009 7:56:55 AM | Computer Name = Office-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 16/11/2009 7:56:55 AM | Computer Name = Office-PC | Source = Service Control Manager | ID = 7026
Description =

Error - 18/11/2009 12:25:20 AM | Computer Name = Office-PC | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 18/11/2009 12:25:53 AM | Computer Name = Office-PC | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 18/11/2009 12:27:16 AM | Computer Name = Office-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 19/11/2009 7:17:01 AM | Computer Name = Office-PC | Source = LsaSrv | ID = 6033
Description = An anonymous session connected from 89.216.46.58 has attempted to
open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED
to prevent leaking security sensitive information to the anonymous caller. The
application that made this attempt needs to be fixed. Please contact the application
vendor. As a temporary workaround, this security measure can be disabled by setting
the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\TurnOffAnonymousBlock
DWORD value to 1. This message will be logged at most once a day.


< End of report >

#6 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:20 AM

Posted 24 November 2009 - 11:21 PM

Hi,

I would like a closer look of the rootkit, please run gmer:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#7 delldummy99

delldummy99
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 25 November 2009 - 12:35 PM

Here's my gmer log:

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-25 12:32:14
Windows 6.0.6002 Service Pack 2
Running: okw66kxb.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\pwryapod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x805CD79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x805CD738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x805CD74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x805CD7DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0x805CD81F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x805CD710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x805CD724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x805CD7B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0x805CD847]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0x805CD833]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x805CD78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x805CD776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x805CD80B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x805CD7F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x805CD7C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x805CD762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82047982 5 Bytes JMP 805CD7CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 821DB5B5 5 Bytes JMP 805CD823 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 821E5B82 5 Bytes JMP 805CD766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 8220CD5D 5 Bytes JMP 805CD80F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 8222C446 7 Bytes JMP 805CD7E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 8222C709 5 Bytes JMP 805CD7F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 82230474 5 Bytes JMP 805CD77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 82235E7D 7 Bytes JMP 805CD7B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8223809A 5 Bytes JMP 805CD728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 8223CB48 5 Bytes JMP 805CD714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 8225DD59 5 Bytes JMP 805CD7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8226E7B2 5 Bytes JMP 805CD837 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8226F9B6 5 Bytes JMP 805CD84B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 822AD74B 5 Bytes JMP 805CD73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822AD796 7 Bytes JMP 805CD750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 822AE253 5 Bytes JMP 805CD78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E80E340, 0x35AB67, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[644] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 00170F34
.text C:\Windows\system32\services.exe[644] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 0017007A
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 00170F08
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 0017009F
.text C:\Windows\system32\services.exe[644] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 00170F7E
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 00170011
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00170FC0
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 00170F4F
.text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 00170058
.text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00170FA5
.text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00170047
.text C:\Windows\system32\services.exe[644] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 0017002C
.text C:\Windows\system32\services.exe[644] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00170069
.text C:\Windows\system32\services.exe[644] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 00170EE3
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 00170000
.text C:\Windows\system32\services.exe[644] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00170FEF
.text C:\Windows\system32\services.exe[644] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 00170F23
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00900F9B
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 0090002C
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00900000
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00900047
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00900F8A
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00900FDB
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 00900011
.text C:\Windows\system32\services.exe[644] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00900FC0
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00430FD9
.text C:\Windows\system32\services.exe[644] msvcrt.dll!system 762C804B 5 Bytes JMP 0043005A
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 0043002E
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_open 762CD106 5 Bytes JMP 00430000
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 00430049
.text C:\Windows\system32\services.exe[644] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 00430011
.text C:\Windows\system32\services.exe[644] WS2_32.dll!socket 76A536D1 5 Bytes JMP 00950FEF
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 00110F6D
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 00110F7E
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 001100DF
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 00110F48
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 00110098
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 0011001B
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00110040
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 001100A9
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 00110087
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00110FCA
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00110076
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 0011005B
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00110FA3
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 00110F2D
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 00110FE5
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00110000
.text C:\Windows\system32\lsass.exe[656] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 001100C4
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00130F90
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 00130FBC
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00130FEF
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00130FAB
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00130F75
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00130FCD
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 00130FDE
.text C:\Windows\system32\lsass.exe[656] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00130028
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00120FB9
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!system 762C804B 5 Bytes JMP 00120044
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 00120FDE
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_open 762CD106 5 Bytes JMP 00120000
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 00120029
.text C:\Windows\system32\lsass.exe[656] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 00120FEF
.text C:\Windows\system32\lsass.exe[656] WS2_32.dll!socket 76A536D1 5 Bytes JMP 0082000A
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 002C007B
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 002C0F35
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 002C00A7
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 002C008C
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 002C0059
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 002C0FDE
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 002C0FCD
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 002C0F50
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 002C0F75
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 002C0FA1
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 002C0F86
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 002C0FBC
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 002C006A
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 002C00B8
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 002C0FEF
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 002C000A
.text C:\Windows\system32\svchost.exe[804] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 002C0F1A
.text C:\Windows\system32\svchost.exe[804] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 002D0FD4
.text C:\Windows\system32\svchost.exe[804] msvcrt.dll!system 762C804B 5 Bytes JMP 002D0FE5
.text C:\Windows\system32\svchost.exe[804] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 002D003A
.text C:\Windows\system32\svchost.exe[804] msvcrt.dll!_open 762CD106 5 Bytes JMP 002D0000
.text C:\Windows\system32\svchost.exe[804] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 002D004B
.text C:\Windows\system32\svchost.exe[804] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 002D0029
.text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 002E007A
.text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 002E004E
.text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 002E0000
.text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 002E005F
.text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 002E0095
.text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 002E002C
.text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 002E001B
.text C:\Windows\system32\svchost.exe[804] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 002E003D
.text C:\Windows\system32\svchost.exe[804] WS2_32.dll!socket 76A536D1 5 Bytes JMP 00340000
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 0077009D
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 00770F57
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 007700D3
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 00770F3C
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 0077006E
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 0077001B
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 0077002C
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 00770F68
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 00770051
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00770FA5
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00770F94
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 00770FC0
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00770F79
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 007700E4
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 00770000
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00770FE5
.text C:\Windows\system32\svchost.exe[904] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 007700C2
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00780F89
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!system 762C804B 5 Bytes JMP 0078000A
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 00780FB5
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_open 762CD106 5 Bytes JMP 00780FEF
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 00780F9A
.text C:\Windows\system32\svchost.exe[904] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 00780FD2
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00790F8D
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 00790025
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00790FE5
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00790F9E
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00790F72
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00790FB9
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 00790FCA
.text C:\Windows\system32\svchost.exe[904] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00790014
.text C:\Windows\system32\svchost.exe[904] WS2_32.dll!socket 76A536D1 5 Bytes JMP 007A0FEF
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 00D2009D
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 00D20F57
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 00D20F17
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 00D20F32
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 00D20F83
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 00D20FB9
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00D2000A
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 00D20F68
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 00D20051
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00D20025
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00D20036
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 00D20F9E
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00D20078
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 00D200C9
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 00D20FD4
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00D20FE5
.text C:\Windows\System32\svchost.exe[956] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 00D200AE
.text C:\Windows\System32\svchost.exe[956] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00D30F8D
.text C:\Windows\System32\svchost.exe[956] msvcrt.dll!system 762C804B 5 Bytes JMP 00D30FA8
.text C:\Windows\System32\svchost.exe[956] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 00D30FDE
.text C:\Windows\System32\svchost.exe[956] msvcrt.dll!_open 762CD106 5 Bytes JMP 00D30000
.text C:\Windows\System32\svchost.exe[956] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 00D30FC3
.text C:\Windows\System32\svchost.exe[956] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 00D30FEF
.text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00D4004E
.text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 00D40022
.text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00D40FEF
.text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00D40033
.text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00D40F91
.text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00D40000
.text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 00D40FCA
.text C:\Windows\System32\svchost.exe[956] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00D40011
.text C:\Windows\System32\svchost.exe[956] WS2_32.dll!socket 76A536D1 5 Bytes JMP 01110FEF
.text C:\Windows\System32\svchost.exe[956] wininet.dll!InternetOpenA 7649D690 5 Bytes JMP 01100000
.text C:\Windows\System32\svchost.exe[956] wininet.dll!InternetOpenW 7649DB09 5 Bytes JMP 01100FE5
.text C:\Windows\System32\svchost.exe[956] wininet.dll!InternetOpenUrlA 7649F3A4 5 Bytes JMP 01100FCA
.text C:\Windows\System32\svchost.exe[956] wininet.dll!InternetOpenUrlW 764E6DDF 5 Bytes JMP 01100011
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 008700DF
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 008700C4
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 00870F63
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 008700FA
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 00870FA3
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 0087002C
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00870047
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 008700B3
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 0087007D
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00870058
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00870FC0
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 00870FDB
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00870098
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 00870F52
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 00870011
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00870000
.text C:\Windows\System32\svchost.exe[1004] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 00870F7E
.text C:\Windows\System32\svchost.exe[1004] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00880064
.text C:\Windows\System32\svchost.exe[1004] msvcrt.dll!system 762C804B 5 Bytes JMP 00880053
.text C:\Windows\System32\svchost.exe[1004] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 0088001D
.text C:\Windows\System32\svchost.exe[1004] msvcrt.dll!_open 762CD106 5 Bytes JMP 00880FEF
.text C:\Windows\System32\svchost.exe[1004] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 00880038
.text C:\Windows\System32\svchost.exe[1004] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 0088000C
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00890FC3
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 0089004A
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00890FEF
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00890065
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00890080
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00890014
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 00890FDE
.text C:\Windows\System32\svchost.exe[1004] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00890039
.text C:\Windows\System32\svchost.exe[1004] WS2_32.dll!socket 76A536D1 5 Bytes JMP 008A0FEF
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 01000F2B
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 01000F46
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 01000EDA
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 01000EFF
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 01000F83
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 0100001B
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 01000FCA
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 01000F57
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 01000F9E
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 01000040
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 0100005B
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 01000FAF
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 01000F72
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 01000EBF
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 0100000A
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 01000FEF
.text C:\Windows\System32\svchost.exe[1036] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 01000F10
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 01010064
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!system 762C804B 5 Bytes JMP 01010FD9
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 01010038
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_open 762CD106 5 Bytes JMP 01010000
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 01010049
.text C:\Windows\System32\svchost.exe[1036] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 01010011
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 01020047
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 01020FB6
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 01020FEF
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 01020FA5
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 01020F8A
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 01020011
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 01020000
.text C:\Windows\System32\svchost.exe[1036] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 0102002C
.text C:\Windows\System32\svchost.exe[1036] WS2_32.dll!socket 76A536D1 5 Bytes JMP 01030000
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 012B0F52
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 012B0F63
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 012B0F1C
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 012B00A9
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 012B0073
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 012B0FCA
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 012B001B
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 012B008E
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 012B0062
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 012B003D
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 012B0FA5
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 012B002C
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 012B0F7E
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 012B0F0B
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 012B0000
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 012B0FE5
.text C:\Windows\system32\svchost.exe[1084] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 012B0F37
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 012D0FB4
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!system 762C804B 5 Bytes JMP 012D003F
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 012D001D
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_open 762CD106 5 Bytes JMP 012D000C
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 012D002E
.text C:\Windows\system32\svchost.exe[1084] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 012D0FEF
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 012E0043
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 012E0FBC
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 012E0FEF
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 012E0FAB
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 012E0F86
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 012E0014
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 012E0FDE
.text C:\Windows\system32\svchost.exe[1084] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 012E0FCD
.text C:\Windows\system32\svchost.exe[1084] WS2_32.dll!socket 76A536D1 5 Bytes JMP 01300000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1144] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[1144] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 001D00B3
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 001D00A2
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 001D00E9
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 001D0F52
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 001D0062
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 001D0FDB
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 001D0FCA
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 001D0F77
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 001D0F88
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 001D0FA5
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 001D0051
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 001D002C
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 001D007D
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 001D0F41
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 001D0011
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 001D0000
.text C:\Windows\system32\svchost.exe[1220] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 001D00C4
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 001E0053
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!system 762C804B 5 Bytes JMP 001E0FBE
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 001E0FE3
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_open 762CD106 5 Bytes JMP 001E0000
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 001E002E
.text C:\Windows\system32\svchost.exe[1220] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 001E001D
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 001F0FB2
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 001F004A
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 001F0000
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 001F0FC3
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 001F0F97
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 001F0025
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 001F0FEF
.text C:\Windows\system32\svchost.exe[1220] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 001F0FDE
.text C:\Windows\system32\svchost.exe[1220] WS2_32.dll!socket 76A536D1 5 Bytes JMP 00350FE5
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 00D80F63
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 00D800A9
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 00D80F3E
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 00D800D5
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 00D80FA3
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 00D80FE5
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00D80036
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 00D80F7E
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 00D8007D
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00D80FCA
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00D8006C
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 00D80051
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00D80098
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 00D800F0
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 00D80011
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00D80000
.text C:\Windows\system32\svchost.exe[1284] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 00D800C4
.text C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00D9003A
.text C:\Windows\system32\svchost.exe[1284] msvcrt.dll!system 762C804B 5 Bytes JMP 00D90029
.text C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 00D90FC3
.text C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_open 762CD106 5 Bytes JMP 00D90FEF
.text C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 00D90018
.text C:\Windows\system32\svchost.exe[1284] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 00D90FDE
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00DA0054
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 00DA0FBC
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00DA0FEF
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00DA0043
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00DA0F97
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00DA0FCD
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 00DA0FDE
.text C:\Windows\system32\svchost.exe[1284] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00DA001E
.text C:\Windows\system32\svchost.exe[1284] WS2_32.dll!socket 76A536D1 5 Bytes JMP 01400FE5
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 009F009A
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 009F0F54
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 009F00DA
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 009F00BF
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 009F006E
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 009F0011
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 009F0022
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 009F0F6F
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 009F0F94
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 009F0FB6
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 009F0FA5
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 009F0033
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 009F007F
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 009F00EB
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 009F0000
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 009F0FE5
.text C:\Windows\system32\svchost.exe[1468] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 009F0F43
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00A10058
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!system 762C804B 5 Bytes JMP 00A10FCD
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 00A10FEF
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_open 762CD106 5 Bytes JMP 00A1000C
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 00A10FDE
.text C:\Windows\system32\svchost.exe[1468] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 00A10029
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExA 763439AB 1 Byte [E9]
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00A20FAF
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 00A20051
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00A20FE5
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00A20FCA
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00A2006C
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00A2001B
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 00A20000
.text C:\Windows\system32\svchost.exe[1468] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00A20036
.text C:\Windows\system32\svchost.exe[1468] WS2_32.dll!socket 76A536D1 5 Bytes JMP 00A70000
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 003600AA
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 00360F64
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 00360F24
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 003600BB
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 00360FA1
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 00360036
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00360FE5
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 00360F75
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 00360FB2
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00360FC3
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00360065
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 00360FD4
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00360F90
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 003600E0
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 0036001B
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00360000
.text C:\Windows\system32\svchost.exe[1676] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 00360F3F
.text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 008B0066
.text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!system 762C804B 5 Bytes JMP 008B004B
.text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 008B0029
.text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_open 762CD106 5 Bytes JMP 008B0FEF
.text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 008B003A
.text C:\Windows\system32\svchost.exe[1676] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 008B0018
.text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00920062
.text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 00920FD1
.text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00920000
.text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00920FB6
.text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00920FA5
.text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 0092002C
.text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 0092001B
.text C:\Windows\system32\svchost.exe[1676] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 0092003D
.text C:\Windows\system32\svchost.exe[1676] WS2_32.dll!socket 76A536D1 5 Bytes JMP 00930FEF
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 00310091
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 00310076
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 00310F15
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 00310F26
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 00310036
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 00310FB9
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00310FA8
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 00310051
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 00310F68
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00310014
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00310025
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 00310F8D
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00310F41
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 003100C7
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 00310FCA
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00310FE5
.text C:\Windows\system32\svchost.exe[2056] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 003100A2
.text C:\Windows\system32\svchost.exe[2056] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00320FB2
.text C:\Windows\system32\svchost.exe[2056] msvcrt.dll!system 762C804B 5 Bytes JMP 00320FC3
.text C:\Windows\system32\svchost.exe[2056] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 00320FDE
.text C:\Windows\system32\svchost.exe[2056] msvcrt.dll!_open 762CD106 5 Bytes JMP 00320000
.text C:\Windows\system32\svchost.exe[2056] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 00320033
.text C:\Windows\system32\svchost.exe[2056] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 00320FEF
.text C:\Windows\system32\svchost.exe[2056] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00330F72
.text C:\Windows\system32\svchost.exe[2056] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 00330F9E
.text C:\Windows\system32\svchost.exe[2056] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00330000
.text C:\Windows\system32\svchost.exe[2056] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00330F83
.text C:\Windows\system32\svchost.exe[2056] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00330039
.text C:\Windows\system32\svchost.exe[2056] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00330FCA
.text C:\Windows\system32\svchost.exe[2056] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 00330FDB
.text C:\Windows\system32\svchost.exe[2056] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00330FAF
.text C:\Windows\system32\svchost.exe[2056] WS2_32.dll!socket 76A536D1 5 Bytes JMP 00350FE5
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 00660080
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 00660F3A
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 006600AC
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 00660F15
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 0066004A
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 00660FDE
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00660FC3
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 00660065
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 00660039
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00660F8D
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00660F7C
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 00660F9E
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00660F55
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 00660EFA
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 0066000A
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00660FEF
.text C:\Windows\system32\svchost.exe[2272] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 00660091
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 008B0FCD
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!system 762C804B 5 Bytes JMP 008B004E
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 008B002C
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_open 762CD106 5 Bytes JMP 008B0000
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 008B003D
.text C:\Windows\system32\svchost.exe[2272] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 008B0011
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 008C0073
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 008C0062
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 008C0000
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 008C0FDB
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 008C0FB6
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 008C0036
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 008C0025
.text C:\Windows\system32\svchost.exe[2272] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 008C0051
.text C:\Windows\system32\svchost.exe[2272] WS2_32.dll!socket 76A536D1 5 Bytes JMP 008D0FEF
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 000500B5
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 000500A4
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 00050F43
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 00050F5E
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 00050F94
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 0005001B
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00050036
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 00050F79
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 00050FAF
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00050058
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00050FC0
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 00050047
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00050089
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 000500F5
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 00050FE5
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00050000
.text C:\Windows\System32\svchost.exe[2300] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 000500DA
.text C:\Windows\System32\svchost.exe[2300] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00060066
.text C:\Windows\System32\svchost.exe[2300] msvcrt.dll!system 762C804B 5 Bytes JMP 00060FDB
.text C:\Windows\System32\svchost.exe[2300] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 0006003A
.text C:\Windows\System32\svchost.exe[2300] msvcrt.dll!_open 762CD106 5 Bytes JMP 00060000
.text C:\Windows\System32\svchost.exe[2300] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 0006004B
.text C:\Windows\System32\svchost.exe[2300] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 0006001D
.text C:\Windows\System32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 0007002F
.text C:\Windows\System32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 00070F9E
.text C:\Windows\System32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00070FE5
.text C:\Windows\System32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00070F8D
.text C:\Windows\System32\svchost.exe[2300] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 0007004A
.text C:\Windows\System32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00070FCA
.text C:\Windows\System32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 0007000A
.text C:\Windows\System32\svchost.exe[2300] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00070FAF
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!GetStartupInfoW 76101929 5 Bytes JMP 00010F3F
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!GetStartupInfoA 761019C9 5 Bytes JMP 00010085
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!CreateProcessW 76101BF3 5 Bytes JMP 00010EEE
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!CreateProcessA 76101C28 5 Bytes JMP 00010F09
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!VirtualProtect 76101DC3 5 Bytes JMP 00010F90
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!CreateNamedPipeA 76102EF5 5 Bytes JMP 00010FC3
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!CreateNamedPipeW 76105C0C 5 Bytes JMP 00010FB2
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!CreatePipe 76128E6E 5 Bytes JMP 00010F5A
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!LoadLibraryExW 76129109 5 Bytes JMP 0001006A
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!LoadLibraryW 76129362 5 Bytes JMP 00010032
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!LoadLibraryExA 761294B4 5 Bytes JMP 00010043
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!LoadLibraryA 761294DC 5 Bytes JMP 00010FA1
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!VirtualProtectEx 7612DBDA 5 Bytes JMP 00010F75
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!GetProcAddress 7614903B 5 Bytes JMP 00010EDD
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!CreateFileW 7614AECB 5 Bytes JMP 00010FD4
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!CreateFileA 7614CE5F 5 Bytes JMP 00010FEF
.text C:\Windows\Explorer.EXE[3976] kernel32.dll!WinExec 76195CF7 5 Bytes JMP 00010F24
.text C:\Windows\Explorer.EXE[3976] ADVAPI32.dll!RegCreateKeyExA 763439AB 5 Bytes JMP 00060F9E
.text C:\Windows\Explorer.EXE[3976] ADVAPI32.dll!RegCreateKeyA 76343BA9 5 Bytes JMP 00060FC3
.text C:\Windows\Explorer.EXE[3976] ADVAPI32.dll!RegOpenKeyA 763489C7 5 Bytes JMP 00060000
.text C:\Windows\Explorer.EXE[3976] ADVAPI32.dll!RegCreateKeyW 7635391E 5 Bytes JMP 00060040
.text C:\Windows\Explorer.EXE[3976] ADVAPI32.dll!RegCreateKeyExW 763541F1 5 Bytes JMP 00060F83
.text C:\Windows\Explorer.EXE[3976] ADVAPI32.dll!RegOpenKeyExA 76357C42 5 Bytes JMP 00060FD4
.text C:\Windows\Explorer.EXE[3976] ADVAPI32.dll!RegOpenKeyW 7635E2B5 5 Bytes JMP 00060FEF
.text C:\Windows\Explorer.EXE[3976] ADVAPI32.dll!RegOpenKeyExW 76367BA1 5 Bytes JMP 00060025
.text C:\Windows\Explorer.EXE[3976] msvcrt.dll!_wsystem 762C7F2F 5 Bytes JMP 00070051
.text C:\Windows\Explorer.EXE[3976] msvcrt.dll!system 762C804B 5 Bytes JMP 00070FC6
.text C:\Windows\Explorer.EXE[3976] msvcrt.dll!_creat 762CBBE1 5 Bytes JMP 00070FD7
.text C:\Windows\Explorer.EXE[3976] msvcrt.dll!_open 762CD106 5 Bytes JMP 00070000
.text C:\Windows\Explorer.EXE[3976] msvcrt.dll!_wcreat 762CD326 5 Bytes JMP 00070036
.text C:\Windows\Explorer.EXE[3976] msvcrt.dll!_wopen 762CD501 5 Bytes JMP 00070011
.text C:\Windows\Explorer.EXE[3976] WS2_32.dll!socket 76A536D1 5 Bytes JMP 00440FE5
.text C:\Windows\Explorer.EXE[3976] WININET.dll!InternetOpenA 7649D690 5 Bytes JMP 03A90FE5
.text C:\Windows\Explorer.EXE[3976] WININET.dll!InternetOpenW 7649DB09 5 Bytes JMP 03A90000
.text C:\Windows\Explorer.EXE[3976] WININET.dll!InternetOpenUrlA 7649F3A4 5 Bytes JMP 03A90FCA
.text C:\Windows\Explorer.EXE[3976] WININET.dll!InternetOpenUrlW 764E6DDF 5 Bytes JMP 03A90FAF

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe[2748] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00192F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe[2748] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00192D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe[2748] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00192CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe[2748] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00192CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Ryan\Desktop\okw66kxb.exe[3312] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00272F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Ryan\Desktop\okw66kxb.exe[3312] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00272D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Ryan\Desktop\okw66kxb.exe[3312] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00272CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Ryan\Desktop\okw66kxb.exe[3312] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00272CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74547817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7459A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7454BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7453F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [745475E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7453E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74578395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7454DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7453FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7453FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [745371CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [745CCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7456C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7453D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74536853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7453687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74542AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01732F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [01732D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01732CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[3976] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01732CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Services - GMER 1.0.15 ----

Service system32\drivers\ESQULxprdbeyobnnqmcpvtdytrhfxcpxqbpiu.sys (*** hidden *** ) [SYSTEM] ESQULserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@imagepath \systemroot\system32\drivers\ESQULxprdbeyobnnqmcpvtdytrhfxcpxqbpiu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules@ESQULserv \\?\globalroot\systemroot\system32\drivers\ESQULxprdbeyobnnqmcpvtdytrhfxcpxqbpiu.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules@ESQULl \\?\globalroot\systemroot\system32\ESQULeydslwrfewyxcnmmcpdwystasgqeppbq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ESQULserv.sys\modules@ESQULclk \\?\globalroot\systemroot\system32\ESQULqoiojupofeipvjdeilfifkholusbgold.dll
Reg HKLM\SYSTEM\ControlSet021\Services\ESQULserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet021\Services\ESQULserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet021\Services\ESQULserv.sys@imagepath \systemroot\system32\drivers\ESQULxprdbeyobnnqmcpvtdytrhfxcpxqbpiu.sys
Reg HKLM\SYSTEM\ControlSet021\Services\ESQULserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet021\Services\ESQULserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet021\Services\ESQULserv.sys\modules@ESQULserv \\?\globalroot\systemroot\system32\drivers\ESQULxprdbeyobnnqmcpvtdytrhfxcpxqbpiu.sys
Reg HKLM\SYSTEM\ControlSet021\Services\ESQULserv.sys\modules@ESQULl \\?\globalroot\systemroot\system32\ESQULeydslwrfewyxcnmmcpdwystasgqeppbq.dll
Reg HKLM\SYSTEM\ControlSet021\Services\ESQULserv.sys\modules@ESQULclk \\?\globalroot\systemroot\system32\ESQULqoiojupofeipvjdeilfifkholusbgold.dll

---- EOF - GMER 1.0.15 ----

#8 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:20 AM

Posted 25 November 2009 - 06:51 PM

Hi,

please run Combofix to remove the rootkit:

Please download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#9 delldummy99

delldummy99
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 25 November 2009 - 07:40 PM

Thanks myrti!

Here is the ComboFix log:

ComboFix 09-11-24.02 - Ryan 25/11/2009 19:18.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.3069.1625 [GMT -5:00]
Running from: c:\users\Ryan\Desktop\ComboFix.exe
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1280494866-3057319620-478108040-500
c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\program files\Adware Professional
c:\program files\Adware Professional\noadware4_092009.na

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))
.

2009-11-26 00:26 . 2009-11-26 00:28 -------- d-----w- c:\users\Ryan\AppData\Local\temp
2009-11-26 00:26 . 2009-11-26 00:26 -------- d-----w- c:\users\Owhey\AppData\Local\temp
2009-11-26 00:26 . 2009-11-26 00:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-20 08:00 . 2009-09-04 22:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-11-20 08:00 . 2009-09-04 22:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-11-18 08:02 . 2008-03-05 20:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-11-18 08:02 . 2008-03-05 20:56 1420824 ----a-w- c:\windows\system32\D3DCompiler_37.dll
2009-11-18 08:02 . 2008-02-06 04:07 462864 ----a-w- c:\windows\system32\d3dx10_37.dll
2009-11-18 08:02 . 2007-04-04 23:53 81768 ----a-w- c:\windows\system32\xinput1_3.dll
2009-11-18 08:02 . 2009-11-18 08:02 -------- d-----w- c:\windows\system32\xlive
2009-11-18 08:01 . 2009-11-18 08:01 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-11-17 17:55 . 2009-11-25 11:47 -------- d-----w- c:\users\Ryan\Tracing
2009-11-17 17:54 . 2009-11-17 17:54 -------- d-----w- c:\program files\Microsoft
2009-11-17 17:54 . 2009-11-17 17:54 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-11-17 17:54 . 2009-11-17 17:54 -------- d-----w- c:\program files\Windows Live
2009-11-17 17:52 . 2009-11-17 17:52 -------- d-----w- c:\program files\Common Files\Windows Live
2009-11-13 07:24 . 2009-11-14 17:07 -------- d-----w- C:\92330BB3
2009-11-11 03:51 . 2009-08-14 13:27 2036736 ----a-w- c:\windows\system32\win32k.sys
2009-11-11 03:51 . 2009-08-10 12:35 355328 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-06 15:59 . 2009-11-06 15:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 15:59 . 2009-11-06 15:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-05 17:23 . 2009-11-05 17:23 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-05 11:38 . 2009-10-01 01:02 30208 ----a-w- c:\windows\system32\WPDShextAutoplay.exe
2009-11-05 11:37 . 2009-10-08 21:07 4096 ----a-w- c:\windows\system32\oleaccrc.dll
2009-11-05 11:37 . 2009-10-08 21:08 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-11-05 11:37 . 2009-10-08 21:08 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-11-02 23:05 . 2009-11-02 23:05 167064 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-02 23:05 . 2009-11-02 23:05 71832 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-10-27 19:11 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-27 19:11 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-26 00:28 . 2007-07-29 15:09 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-11-18 08:01 . 2007-06-18 22:41 24576 d-----w- c:\program files\Microsoft Works
2009-11-18 04:14 . 2009-03-03 03:10 8192 d-----w- c:\program files\Steam
2009-11-18 04:06 . 2007-06-18 22:34 4096 d-----w- c:\program files\DellSupport
2009-11-16 03:12 . 2007-06-18 22:33 4096 d-----w- c:\programdata\Roxio
2009-11-12 14:00 . 2009-07-02 23:05 4096 d-----w- c:\program files\Vuze
2009-11-12 00:34 . 2007-07-29 15:44 4096 d-----w- c:\users\Owhey\AppData\Roaming\Skype
2009-11-11 17:35 . 2007-06-26 18:49 81208 ----a-w- c:\users\Owhey\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-11 05:03 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-11-05 17:23 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-05 17:23 . 2009-11-05 17:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_07_00.Wdf
2009-11-05 17:23 . 2009-11-05 17:23 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_00.Wdf
2009-11-03 19:57 . 2007-08-10 00:00 8774 ----a-w- c:\users\Ryan\AppData\Roaming\wklnhst.dat
2009-11-03 01:42 . 2009-10-03 02:44 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-21 23:45 . 2009-09-20 13:29 -------- d-----w- c:\programdata\Lavasoft
2009-10-21 23:02 . 2009-07-02 23:08 24576 d-----w- c:\users\Ryan\AppData\Roaming\Azureus
2009-10-21 16:43 . 2009-10-21 16:43 10628032 ----a-w- c:\users\Ryan\AppData\Roaming\Azureus\tmp\AZU17615.tmp\Vuze_4.2.0.8b_win32.exe
2009-10-16 02:32 . 2009-03-03 03:10 -------- d-----w- c:\program files\Common Files\Steam
2009-10-02 08:34 . 2009-08-04 22:40 4096 d-----w- c:\program files\Guitar Pro 5
2009-10-01 01:02 . 2009-11-05 11:38 2537472 ----a-w- c:\windows\system32\wpdshext.dll
2009-10-01 01:02 . 2009-11-05 11:38 334848 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-10-01 01:02 . 2009-11-05 11:38 87552 ----a-w- c:\windows\system32\WPDShServiceObj.dll
2009-10-01 01:02 . 2009-11-05 11:38 31232 ----a-w- c:\windows\system32\BthMtpContextHandler.dll
2009-10-01 01:01 . 2009-11-05 11:38 546816 ----a-w- c:\windows\system32\wpd_ci.dll
2009-10-01 01:01 . 2009-11-05 11:38 160256 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-10-01 01:01 . 2009-11-05 11:38 60928 ----a-w- c:\windows\system32\PortableDeviceConnectApi.dll
2009-10-01 01:01 . 2009-11-05 11:38 350208 ----a-w- c:\windows\system32\WPDSp.dll
2009-10-01 01:01 . 2009-11-05 11:38 196608 ----a-w- c:\windows\system32\PortableDeviceWMDRM.dll
2009-10-01 01:01 . 2009-11-05 11:38 100864 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-10-01 01:01 . 2009-11-05 11:38 81920 ----a-w- c:\windows\system32\wpdbusenum.dll
2009-10-01 01:01 . 2009-11-05 11:38 40448 ----a-w- c:\windows\system32\drivers\WpdUsb.sys
2009-10-01 01:01 . 2009-11-05 11:38 226816 ----a-w- c:\windows\system32\WpdMtp.dll
2009-10-01 01:01 . 2009-11-05 11:38 33280 ----a-w- c:\windows\system32\WpdConns.dll
2009-10-01 01:01 . 2009-11-05 11:38 61952 ----a-w- c:\windows\system32\WpdMtpUS.dll
2009-09-25 02:10 . 2009-11-05 11:39 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-09-25 02:07 . 2009-11-05 11:39 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-09-25 02:04 . 2009-11-05 11:39 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-09-25 01:49 . 2009-11-05 11:39 1554432 ----a-w- c:\windows\system32\xpsservices.dll
2009-09-25 01:48 . 2009-11-05 11:39 351232 ----a-w- c:\windows\system32\XpsPrint.dll
2009-09-25 01:38 . 2009-11-05 11:39 847360 ----a-w- c:\windows\system32\OpcServices.dll
2009-09-25 01:36 . 2009-11-05 11:39 280064 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2009-09-25 01:35 . 2009-11-05 11:39 135680 ----a-w- c:\windows\system32\XpsRasterService.dll
2009-09-25 01:33 . 2009-11-05 11:39 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2009-09-25 01:33 . 2009-11-05 11:39 829440 ----a-w- c:\windows\system32\d3d10warp.dll
2009-09-25 01:33 . 2009-11-05 11:39 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2009-09-25 01:32 . 2009-11-05 11:39 252928 ----a-w- c:\windows\system32\dxdiag.exe
2009-09-25 01:31 . 2009-11-05 11:39 519680 ----a-w- c:\windows\system32\d3d11.dll
2009-09-25 01:31 . 2009-11-05 11:39 486912 ----a-w- c:\windows\system32\d3d10level9.dll
2009-09-25 01:31 . 2009-11-05 11:39 161280 ----a-w- c:\windows\system32\d3d10_1.dll
2009-09-25 01:31 . 2009-11-05 11:39 218112 ----a-w- c:\windows\system32\d3d10_1core.dll
2009-09-25 01:31 . 2009-11-05 11:39 1030144 ----a-w- c:\windows\system32\d3d10.dll
2009-09-25 01:31 . 2009-11-05 11:39 828928 ----a-w- c:\windows\system32\d2d1.dll
2009-09-25 01:30 . 2009-11-05 11:39 190464 ----a-w- c:\windows\system32\d3d10core.dll
2009-09-25 01:30 . 2009-11-05 11:39 481792 ----a-w- c:\windows\system32\dxgi.dll
2009-09-25 01:27 . 2009-11-05 11:39 634880 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-09-25 01:27 . 2009-11-05 11:39 37888 ----a-w- c:\windows\system32\cdd.dll
2009-09-25 01:27 . 2009-11-05 11:39 793088 ----a-w- c:\windows\system32\FntCache.dll
2009-09-25 01:27 . 2009-11-05 11:39 1064448 ----a-w- c:\windows\system32\DWrite.dll
2009-09-24 22:54 . 2009-11-05 11:39 258048 ----a-w- c:\windows\system32\winspool.drv
2009-09-24 22:54 . 2009-11-05 11:39 667648 ----a-w- c:\windows\system32\printfilterpipelinesvc.exe
2009-09-24 22:54 . 2009-11-05 11:39 26112 ----a-w- c:\windows\system32\printfilterpipelineprxy.dll
2009-09-20 12:34 . 2007-06-25 20:36 81208 ----a-w- c:\users\Ryan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-19 14:58 . 2009-09-19 14:58 0 ----a-w- c:\windows\nsreg.dat
2009-09-16 14:22 . 2007-08-18 04:51 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 14:22 . 2007-08-18 04:51 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 14:22 . 2007-08-18 04:51 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 14:22 . 2007-08-18 04:51 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 14:22 . 2007-08-18 04:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-14 09:29 . 2009-10-15 02:36 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 16:48 . 2009-10-15 02:37 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 02:01 . 2009-11-05 11:39 3023360 ----a-w- c:\windows\system32\UIRibbon.dll
2009-09-10 02:00 . 2009-11-05 11:39 1164800 ----a-w- c:\windows\system32\UIRibbonRes.dll
2009-09-10 02:00 . 2009-11-05 11:39 92672 ----a-w- c:\windows\system32\UIAnimation.dll
2009-09-04 11:41 . 2009-10-15 02:36 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:27 . 2009-09-19 00:13 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-19 00:13 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2007-06-19 06:17 . 2007-06-19 06:17 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-04 68856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"Picasa Media Detector"=c:\program files\Picasa2\PicasaMediaDetector.exe
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam10\QuickCam10.exe" /hide
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe"
"ECenter"=c:\dell\E-Center\EULALauncher.exe
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
"QuickTime Task"="c:\program files\VistaCodecPack\QT\QTTask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe"
"SigmatelSysTrayApp"=sttray.exe
"ISUSPM Startup"=c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"SiteAdvisor"=c:\program files\SiteAdvisor\6253\SiteAdv.exe
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"NvSvc"=RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(:(:f3,49,42,6b,d3,38,ca,01

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [05/10/2008 8:58 PM 210216]
R2 SSPORT;SSPORT;c:\windows\System32\drivers\SSPORT.SYS [08/07/2007 7:48 AM 5120]
S2 0199681255043740mcinstcleanup;McAfee Application Installer Cleanup (0199681255043740);c:\windows\TEMP\019968~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\019968~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 gupdate1ca39f66981642f;Google Update Service (gupdate1ca39f66981642f);c:\program files\Google\Update\GoogleUpdate.exe [20/09/2009 8:29 AM 133104]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [22/09/2008 9:34 AM 21504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2009-11-26 c:\windows\Tasks\AWC Startup.job
- c:\program files\IObit\Advanced SystemCare 3\AWC.exe [2009-09-20 13:55]

2009-11-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 13:29]

2009-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 13:29]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-08 16:22]

2009-11-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2009-10-08 16:22]
.
.
------- Supplementary Scan -------
.
uLocal Page = \blank.htm
uStart Page = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3070619
mStart Page = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=3070619
TCP: {AD63F258-3A8E-4B19-A200-5704ACFA1127} = 209.91.128.11 204.187.88.10
FF - ProfilePath - c:\users\Ryan\AppData\Roaming\Mozilla\Firefox\Profiles\t1vuiha8.default\
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin2.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin3.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin4.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin5.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin6.dll
FF - plugin: c:\program files\VistaCodecPack\QT\Plugins\npqtplugin7.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
AddRemove-Crysis WARHEAD® - c:\programdata\{0691F710-1ECA-4B5A-9727-25554F1BFDC6}\setup.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-NVIDIA Drivers - c:\windows\system32\NVUNINST.EXE UninstallGUI
AddRemove-QcDrv - c:\program files\Common Files\LogiShrd\QCDRV\BIN\SETUP.EXE UNINSTALL REMOVEPROMPT
AddRemove-Steam App 13210 - c:\program files\Steam\steam.exe steam://uninstall/13210
AddRemove-Steam App 220 - c:\program files\Steam\steam.exe steam://uninstall/220
AddRemove-Steam App 340 - c:\program files\Steam\steam.exe steam://uninstall/340
AddRemove-Steam App 380 - c:\program files\Steam\steam.exe steam://uninstall/380
AddRemove-Steam App 400 - c:\program files\Steam\steam.exe steam://uninstall/400
AddRemove-Steam App 420 - c:\program files\Steam\steam.exe steam://uninstall/420
AddRemove-Steam App 440 - c:\program files\Steam\steam.exe steam://uninstall/440
AddRemove-{9863F141-7A33-4c9a-A5F2-96996461B216} - c:\users\Ryan\AppData\Local\KodakGallery\EasyShareSetup\$SETUP_140007_52ba1\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-25 19:29
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1280494866-3057319620-478108040-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:33,be,15,df,42,64,00,92,78,3d,a4,d9,e0,1b,58,cb,77,62,b3,29,da,aa,5e,
0f,da,f7,74,5f,e4,6a,a9,fa,b0,4b,ee,51,d6,46,7a,3b,ff,a6,d9,67,69,44,de,cf,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-1280494866-3057319620-478108040-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:0c,8e,bc,f6,8b,8d,db,75,a4,1d,fb,f8,48,be,60,35,70,91,ea,01,1d,
b8,4b,e3,83,f9,99,fd,db,ee,90,13,2c,32,26,a3,34,76,d9,19,8b,b5,95,5b,05,4e,\
"rkeysecu"=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1096)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\program files\Common Files\Sonic Shared\SonicMC01\sonicMP4Demux.ax
c:\program files\Common Files\Sonic Shared\SonicMC01\sonicamrd.ax
c:\program files\Essentials Codec Pack\Gabset\VSFilter.dll
c:\program files\VistaCodecPack\filters\MP4Splitter.dll
c:\program files\Essentials Codec Pack\WavPack\WavPackDSSplitter.ax
c:\program files\VistaCodecPack\filters\RealMediaSplitter.ax
c:\program files\Essentials Codec Pack\Gabset\FLVSplitter.ax
c:\program files\Common Files\Roxio Shared\9.0\MPEG\RoxioMPEGDemuxer.dll
c:\program files\Essentials Codec Pack\Haali\splitter.ax
c:\program files\Essentials Codec Pack\Haali\mkzlib.dll
c:\program files\Essentials Codec Pack\Haali\mkunicode.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\windows\ehome\ehsched.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
c:\windows\ehome\ehRecvr.exe
c:\program files\Windows Media Player\wmpnscfg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-11-25 19:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-26 00:35

Pre-Run: 58,803,949,568 bytes free
Post-Run: 60,193,300,480 bytes free

- - End Of File - - 2F0A49B994A09B843E3EF65F510348F4

#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:20 AM

Posted 25 November 2009 - 08:08 PM

Hi,

looks like CF tried to get rid of the rootkit for us, could you please run gmer for confirmation:
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Please also run a scan with Malwarebytes:
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 delldummy99

delldummy99
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 26 November 2009 - 10:01 PM

Seems like ComboFix did the trick. Thank you so very much for your help, it is much appreciated!

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-11-26 21:41:11
Windows 6.0.6002 Service Pack 2
Running: 3jmdp0fy.exe; Driver: C:\Users\Ryan\AppData\Local\Temp\pwryapod.sys


---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0x805D579E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0x805D5738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0x805D574C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x805D57DC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0x805D5710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0x805D5724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x805D57B2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0x805D578A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x805D5776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0x805D580B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x805D57F2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0x805D57C8]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateUserProcess [0x805D5762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 82061982 5 Bytes JMP 805D57CC \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateUserProcess 821FFB82 5 Bytes JMP 805D5766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 82226D5D 5 Bytes JMP 805D580F \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 82246446 7 Bytes JMP 805D57E0 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 82246709 5 Bytes JMP 805D57F6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 8224A474 5 Bytes JMP 805D577A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 8224FE7D 7 Bytes JMP 805D57B6 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 8225209A 5 Bytes JMP 805D5728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 82256B48 5 Bytes JMP 805D5714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 82277D59 5 Bytes JMP 805D57A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 822C774B 5 Bytes JMP 805D573C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822C7796 7 Bytes JMP 805D5750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 822C8253 5 Bytes JMP 805D578E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E202340, 0x35AB67, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[652] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 00920076
.text C:\Windows\system32\services.exe[652] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00920F30
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00920F04
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 00920F15
.text C:\Windows\system32\services.exe[652] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 00920F5C
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 0092001B
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 00920FC0
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 00920F41
.text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 00920F83
.text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00920040
.text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00920F9E
.text C:\Windows\system32\services.exe[652] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00920FAF
.text C:\Windows\system32\services.exe[652] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 00920051
.text C:\Windows\system32\services.exe[652] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 00920EF3
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00920000
.text C:\Windows\system32\services.exe[652] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 00920FE5
.text C:\Windows\system32\services.exe[652] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00920091
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 00940FA1
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 00940FC3
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 00940FEF
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 00940FB2
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 00940F86
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 00940014
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 00940FDE
.text C:\Windows\system32\services.exe[652] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 00940025
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00930FB2
.text C:\Windows\system32\services.exe[652] msvcrt.dll!system 7576804B 5 Bytes JMP 00930FC3
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00930029
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_open 7576D106 5 Bytes JMP 00930FEF
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 00930FD4
.text C:\Windows\system32\services.exe[652] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00930018
.text C:\Windows\system32\services.exe[652] WS2_32.dll!socket 770236D1 5 Bytes JMP 00990000
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 001A0098
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 001A007D
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 001A0F1C
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 001A00B3
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 001A0F77
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 001A0FB9
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 001A000A
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 001A0F52
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 001A0051
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 001A0025
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 001A0036
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 001A0F9E
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 001A006C
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 001A00CE
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 001A0FCA
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 001A0FE5
.text C:\Windows\system32\lsass.exe[664] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 001A0F2D
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 001C004A
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 001C0FC3
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 001C0000
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 001C0FB2
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 001C0F8D
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 001C0FD4
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 001C0FE5
.text C:\Windows\system32\lsass.exe[664] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 001C0025
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 001B0FC8
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!system 7576804B 5 Bytes JMP 001B0053
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 001B002E
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_open 7576D106 5 Bytes JMP 001B0000
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 001B0FD9
.text C:\Windows\system32\lsass.exe[664] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 001B001D
.text C:\Windows\system32\lsass.exe[664] WS2_32.dll!socket 770236D1 5 Bytes JMP 008B0FEF
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[668] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[668] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 00640F1B
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00640F2C
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00640EDB
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 0064007C
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 00640F5F
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 00640FC3
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 00640014
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 00640F3D
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 00640043
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00640FA1
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00640F86
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00640FB2
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 00640F4E
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 00640ECA
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00640FDE
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 00640FEF
.text C:\Windows\system32\svchost.exe[872] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00640F0A
.text C:\Windows\system32\svchost.exe[872] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00650069
.text C:\Windows\system32\svchost.exe[872] msvcrt.dll!system 7576804B 5 Bytes JMP 0065004E
.text C:\Windows\system32\svchost.exe[872] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00650FDE
.text C:\Windows\system32\svchost.exe[872] msvcrt.dll!_open 7576D106 5 Bytes JMP 00650FEF
.text C:\Windows\system32\svchost.exe[872] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 0065003D
.text C:\Windows\system32\svchost.exe[872] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00650018
.text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 00660F97
.text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 00660FC3
.text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 00660FEF
.text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 00660FB2
.text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 00660F86
.text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 00660025
.text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 0066000A
.text C:\Windows\system32\svchost.exe[872] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 00660FD4
.text C:\Windows\system32\svchost.exe[872] WS2_32.dll!socket 770236D1 5 Bytes JMP 00740000
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 001C00F5
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 001C00DA
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 001C011A
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 001C0F79
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 001C0093
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 001C0FDB
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 001C0FCA
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 001C00C9
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 001C0076
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 001C0040
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 001C005B
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 001C0FB9
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 001C00A4
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 001C0F68
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 001C0011
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 001C0000
.text C:\Windows\system32\svchost.exe[932] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 001C0F94
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 001D001D
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!system 7576804B 5 Bytes JMP 001D0F92
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 001D0FC8
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_open 7576D106 5 Bytes JMP 001D0FE3
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 001D0FB7
.text C:\Windows\system32\svchost.exe[932] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 001D000C
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 001E002C
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 001E001B
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 001E0FE5
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 001E0F8A
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 001E0F79
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 001E000A
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 001E0FD4
.text C:\Windows\system32\svchost.exe[932] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 001E0FAF
.text C:\Windows\system32\svchost.exe[932] WS2_32.dll!socket 770236D1 5 Bytes JMP 00300FEF
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 01190F68
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 01190F83
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 011900F5
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 011900E4
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 01190082
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 01190000
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 01190FB9
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 011900A4
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 01190071
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 0119004A
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 01190FA8
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 0119002F
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 01190093
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 01190F43
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 01190FCA
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 01190FEF
.text C:\Windows\System32\svchost.exe[968] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 011900C9
.text C:\Windows\System32\svchost.exe[968] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 011A0036
.text C:\Windows\System32\svchost.exe[968] msvcrt.dll!system 7576804B 5 Bytes JMP 011A0025
.text C:\Windows\System32\svchost.exe[968] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 011A0FB5
.text C:\Windows\System32\svchost.exe[968] msvcrt.dll!_open 7576D106 5 Bytes JMP 011A0FE3
.text C:\Windows\System32\svchost.exe[968] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 011A000A
.text C:\Windows\System32\svchost.exe[968] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 011A0FC6
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 011B002C
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 011B0F94
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 011B0000
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 011B001B
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 011B003D
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 011B0FCA
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 011B0FDB
.text C:\Windows\System32\svchost.exe[968] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 011B0FAF
.text C:\Windows\System32\svchost.exe[968] WS2_32.dll!socket 770236D1 5 Bytes JMP 0123000A
.text C:\Windows\System32\svchost.exe[968] wininet.dll!InternetOpenA 769AD690 5 Bytes JMP 01220FEF
.text C:\Windows\System32\svchost.exe[968] wininet.dll!InternetOpenW 769ADB09 5 Bytes JMP 01220FDE
.text C:\Windows\System32\svchost.exe[968] wininet.dll!InternetOpenUrlA 769AF3A4 5 Bytes JMP 01220FC3
.text C:\Windows\System32\svchost.exe[968] wininet.dll!InternetOpenUrlW 769F6DDF 5 Bytes JMP 01220014
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 006E0F43
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 006E0F54
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 006E0F17
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 006E00AE
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 006E0053
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 006E000A
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 006E0FAF
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 006E0089
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 006E0036
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 006E0F9E
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 006E0F79
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 006E001B
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 006E006E
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 006E0EFC
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 006E0FD4
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 006E0FEF
.text C:\Windows\System32\svchost.exe[1056] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 006E0F32
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00730058
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!system 7576804B 5 Bytes JMP 00730FCD
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 0073002C
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_open 7576D106 5 Bytes JMP 00730000
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 00730047
.text C:\Windows\System32\svchost.exe[1056] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00730011
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 007C0F8D
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 007C0FAF
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 007C0FE5
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 007C0F9E
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 007C0040
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 007C000A
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 007C0FD4
.text C:\Windows\System32\svchost.exe[1056] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 007C001B
.text C:\Windows\System32\svchost.exe[1056] WS2_32.dll!socket 770236D1 5 Bytes JMP 009F0FEF
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 00FD008E
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00FD0073
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00FD009F
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 00FD0F12
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 00FD0F6D
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 00FD0FCA
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 00FD0FB9
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 00FD0F52
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 00FD0047
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00FD0025
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00FD0036
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00FD0F9E
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 00FD0058
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 00FD0EED
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00FD000A
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 00FD0FE5
.text C:\Windows\System32\svchost.exe[1088] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00FD0F2D
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!_wsystem 75767F2F 3 Bytes JMP 0102001B
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!_wsystem + 4 75767F33 1 Byte [8B]
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!system 7576804B 3 Bytes JMP 01020F90
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!system + 4 7576804F 1 Byte [8B]
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!_creat 7576BBE1 3 Bytes JMP 01020000
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!_creat + 4 7576BBE5 1 Byte [8B]
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!_open 7576D106 5 Bytes JMP 01020FEF
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!_wcreat 7576D326 3 Bytes JMP 01020FA1
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!_wcreat + 4 7576D32A 1 Byte [8B]
.text C:\Windows\System32\svchost.exe[1088] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 01020FC6
.text C:\Windows\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 01030FA8
.text C:\Windows\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 0103004A
.text C:\Windows\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 01030FEF
.text C:\Windows\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 01030FB9
.text C:\Windows\System32\svchost.exe[1088] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 01030065
.text C:\Windows\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 0103002F
.text C:\Windows\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 01030014
.text C:\Windows\System32\svchost.exe[1088] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 01030FDE
.text C:\Windows\System32\svchost.exe[1088] WS2_32.dll!socket 770236D1 5 Bytes JMP 01040000
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 01230F21
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 01230F32
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 01230EE1
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 01230078
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 0123003B
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 01230FD4
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 01230FC3
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 0123005D
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 01230F61
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 01230F8D
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 01230F72
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 01230F9E
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 0123004C
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 01230093
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 0123000A
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 01230FE5
.text C:\Windows\system32\svchost.exe[1128] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 01230EFC
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 01280FA1
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!system 7576804B 5 Bytes JMP 01280FB2
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 01280011
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_open 7576D106 5 Bytes JMP 01280000
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 0128002C
.text C:\Windows\system32\svchost.exe[1128] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 01280FD7
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 01290065
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 01290FCD
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 0129000A
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 01290054
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 01290080
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 01290FEF
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 0129001B
.text C:\Windows\system32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 01290FDE
.text C:\Windows\system32\svchost.exe[1128] WS2_32.dll!socket 770236D1 5 Bytes JMP 012F0000
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 00180F2B
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00180F46
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00180EFF
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 00180096
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 00180F61
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 00180FCA
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 00180FAF
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 00180067
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 0018002F
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00180F83
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00180F72
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00180F9E
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 00180056
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 00180EEE
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00180FEF
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[1268] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00180F10
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00190073
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!system 7576804B 5 Bytes JMP 00190FDE
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_open 7576D106 5 Bytes JMP 00190000
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 0019004E
.text C:\Windows\system32\svchost.exe[1268] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00190029
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 006B0047
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 006B0036
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 006B0000
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 006B0FA5
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 006B0062
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 006B001B
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 006B0FE5
.text C:\Windows\system32\svchost.exe[1268] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 006B0FCA
.text C:\Windows\system32\svchost.exe[1268] WS2_32.dll!socket 770236D1 5 Bytes JMP 006C0FEF
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 00C80F18
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00C80054
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00C80094
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 00C80083
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 00C80039
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 00C80FC3
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 00C80FB2
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 00C80F29
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 00C80028
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00C80F90
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00C80F75
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00C80FA1
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 00C80F44
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 00C800A5
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00C80FD4
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 00C80FEF
.text C:\Windows\system32\svchost.exe[1364] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00C80EFD
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00CD0FB7
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!system 7576804B 5 Bytes JMP 00CD0042
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00CD001D
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_open 7576D106 5 Bytes JMP 00CD0000
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 00CD0FD2
.text C:\Windows\system32\svchost.exe[1364] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00CD0FE3
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 00D50F94
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 00D50FAF
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 00D50FEF
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 00D50036
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 00D50F79
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 00D5001B
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 00D5000A
.text C:\Windows\system32\svchost.exe[1364] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 00D50FCA
.text C:\Windows\system32\svchost.exe[1364] WS2_32.dll!socket 770236D1 5 Bytes JMP 00E40FEF
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 00DA0F22
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00DA0068
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00DA0EEC
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 00DA0079
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 00DA0032
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 00DA0FCD
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 00DA0FA8
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 00DA004D
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 00DA0F5A
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00DA0F7C
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00DA0F6B
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00DA0F8D
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 00DA0F3D
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 00DA0094
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00DA0FDE
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 00DA0FEF
.text C:\Windows\system32\svchost.exe[1508] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00DA0EFD
.text C:\Windows\system32\svchost.exe[1508] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00DB004C
.text C:\Windows\system32\svchost.exe[1508] msvcrt.dll!system 7576804B 5 Bytes JMP 00DB0FC1
.text C:\Windows\system32\svchost.exe[1508] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00DB0FD2
.text C:\Windows\system32\svchost.exe[1508] msvcrt.dll!_open 7576D106 5 Bytes JMP 00DB000C
.text C:\Windows\system32\svchost.exe[1508] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 00DB0031
.text C:\Windows\system32\svchost.exe[1508] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00DB0FEF
.text C:\Windows\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 00DE0F97
.text C:\Windows\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 00DE0FB2
.text C:\Windows\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 00DE0FEF
.text C:\Windows\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 00DE0039
.text C:\Windows\system32\svchost.exe[1508] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 00DE0F7C
.text C:\Windows\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 00DE001E
.text C:\Windows\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 00DE0FDE
.text C:\Windows\system32\svchost.exe[1508] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 00DE0FC3
.text C:\Windows\system32\svchost.exe[1508] WS2_32.dll!socket 770236D1 5 Bytes JMP 00DF0FEF
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 001E00B8
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 001E0F68
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 001E0F57
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 001E00E4
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 001E0F8D
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 001E0FD4
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 001E001B
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 001E0093
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 001E0F9E
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 001E0FAF
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 001E0051
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 001E002C
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 001E0082
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 001E0F46
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 001E0FE5
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 001E0000
.text C:\Windows\system32\svchost.exe[1700] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 001E00D3
.text C:\Windows\system32\svchost.exe[1700] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00230066
.text C:\Windows\system32\svchost.exe[1700] msvcrt.dll!system 7576804B 5 Bytes JMP 0023004B
.text C:\Windows\system32\svchost.exe[1700] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00230FEF
.text C:\Windows\system32\svchost.exe[1700] msvcrt.dll!_open 7576D106 5 Bytes JMP 00230000
.text C:\Windows\system32\svchost.exe[1700] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 0023003A
.text C:\Windows\system32\svchost.exe[1700] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00230029
.text C:\Windows\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 0026003D
.text C:\Windows\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 00260FB6
.text C:\Windows\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 00260000
.text C:\Windows\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 00260F9B
.text C:\Windows\system32\svchost.exe[1700] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 0026004E
.text C:\Windows\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 00260022
.text C:\Windows\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 00260011
.text C:\Windows\system32\svchost.exe[1700] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 00260FD1
.text C:\Windows\system32\svchost.exe[1700] WS2_32.dll!socket 770236D1 5 Bytes JMP 002F000A
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 00C50095
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00C50F4F
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00C50F2A
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 00C500CB
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 00C50058
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 00C5001B
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 00C50036
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 00C5007A
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 00C50F7E
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00C50FC0
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00C50F9B
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00C50047
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 00C50069
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 00C50F0F
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00C50FE5
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 00C50000
.text C:\Windows\system32\svchost.exe[2084] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00C500B0
.text C:\Windows\system32\svchost.exe[2084] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00CE0FD2
.text C:\Windows\system32\svchost.exe[2084] msvcrt.dll!system 7576804B 5 Bytes JMP 00CE0053
.text C:\Windows\system32\svchost.exe[2084] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00CE002E
.text C:\Windows\system32\svchost.exe[2084] msvcrt.dll!_open 7576D106 5 Bytes JMP 00CE0000
.text C:\Windows\system32\svchost.exe[2084] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 00CE0FE3
.text C:\Windows\system32\svchost.exe[2084] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00CE001D
.text C:\Windows\system32\svchost.exe[2084] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 00CF0F8A
.text C:\Windows\system32\svchost.exe[2084] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 00CF001B
.text C:\Windows\system32\svchost.exe[2084] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 00CF0FEF
.text C:\Windows\system32\svchost.exe[2084] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 00CF002C
.text C:\Windows\system32\svchost.exe[2084] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 00CF0047
.text C:\Windows\system32\svchost.exe[2084] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 00CF0000
.text C:\Windows\system32\svchost.exe[2084] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 00CF0FCA
.text C:\Windows\system32\svchost.exe[2084] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 00CF0FAF
.text C:\Windows\system32\svchost.exe[2084] WS2_32.dll!socket 770236D1 5 Bytes JMP 00D00000
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 00A00F28
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00A00F39
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00A00090
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 00A00EF9
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 00A00049
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 00A00FCA
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 00A0001B
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 00A00F4A
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 00A00F6F
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00A00F8A
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00A0002C
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00A00FAF
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 00A00064
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 00A00EE8
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00A00000
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 00A00FE5
.text C:\Windows\system32\svchost.exe[2280] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00A0007F
.text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00A1004E
.text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!system 7576804B 5 Bytes JMP 00A10033
.text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00A10FDE
.text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_open 7576D106 5 Bytes JMP 00A10FEF
.text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 00A10FC3
.text C:\Windows\system32\svchost.exe[2280] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00A1000C
.text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 00A30054
.text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 00A30039
.text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 00A30FEF
.text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 00A30FB2
.text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 00A30F97
.text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 00A30FD4
.text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 00A3000A
.text C:\Windows\system32\svchost.exe[2280] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 00A30FC3
.text C:\Windows\system32\svchost.exe[2280] WS2_32.dll!socket 770236D1 5 Bytes JMP 00A40000
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 00050F15
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00050F30
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00050EF3
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 00050F04
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 0005002F
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 00050FB9
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 0005000A
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 0005005B
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 00050F55
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00050F8D
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00050F7C
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00050FA8
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 0005004A
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 000500A5
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00050FDE
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 00050FEF
.text C:\Windows\System32\svchost.exe[2324] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00050076
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 00060049
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!system 7576804B 5 Bytes JMP 00060FBE
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00060FE3
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_open 7576D106 5 Bytes JMP 0006000C
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 0006002E
.text C:\Windows\System32\svchost.exe[2324] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 0006001D
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 00070F83
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 00070025
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 00070FEF
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 00070F9E
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 00070040
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 00070FC3
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 00070FD4
.text C:\Windows\System32\svchost.exe[2324] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 00070014
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!GetStartupInfoW 75591929 5 Bytes JMP 0002005E
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!GetStartupInfoA 755919C9 5 Bytes JMP 00020F22
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!CreateProcessW 75591BF3 5 Bytes JMP 00020EE2
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!CreateProcessA 75591C28 5 Bytes JMP 00020079
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!VirtualProtect 75591DC3 5 Bytes JMP 00020F69
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!CreateNamedPipeA 75592EF5 5 Bytes JMP 00020025
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!CreateNamedPipeW 75595C0C 5 Bytes JMP 00020FD4
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!CreatePipe 755B8E6E 5 Bytes JMP 00020F33
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!LoadLibraryExW 755B9109 5 Bytes JMP 00020F86
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!LoadLibraryW 755B9362 5 Bytes JMP 00020FA8
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!LoadLibraryExA 755B94B4 5 Bytes JMP 00020F97
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!LoadLibraryA 755B94DC 5 Bytes JMP 00020FC3
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!VirtualProtectEx 755BDBDA 5 Bytes JMP 00020F4E
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!GetProcAddress 755D903B 5 Bytes JMP 00020ED1
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!CreateFileW 755DAECB 5 Bytes JMP 00020FEF
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!CreateFileA 755DCE5F 5 Bytes JMP 0002000A
.text C:\Windows\Explorer.EXE[2492] kernel32.dll!WinExec 75625CF7 5 Bytes JMP 00020EF3
.text C:\Windows\Explorer.EXE[2492] ADVAPI32.dll!RegCreateKeyExA 766439AB 5 Bytes JMP 00060FCA
.text C:\Windows\Explorer.EXE[2492] ADVAPI32.dll!RegCreateKeyA 76643BA9 5 Bytes JMP 0006005B
.text C:\Windows\Explorer.EXE[2492] ADVAPI32.dll!RegOpenKeyA 766489C7 5 Bytes JMP 00060000
.text C:\Windows\Explorer.EXE[2492] ADVAPI32.dll!RegCreateKeyW 7665391E 5 Bytes JMP 00060076
.text C:\Windows\Explorer.EXE[2492] ADVAPI32.dll!RegCreateKeyExW 766541F1 5 Bytes JMP 00060091
.text C:\Windows\Explorer.EXE[2492] ADVAPI32.dll!RegOpenKeyExA 76657C42 5 Bytes JMP 0006001B
.text C:\Windows\Explorer.EXE[2492] ADVAPI32.dll!RegOpenKeyW 7665E2B5 5 Bytes JMP 00060FE5
.text C:\Windows\Explorer.EXE[2492] ADVAPI32.dll!RegOpenKeyExW 76667BA1 5 Bytes JMP 00060040
.text C:\Windows\Explorer.EXE[2492] msvcrt.dll!_wsystem 75767F2F 5 Bytes JMP 0007004E
.text C:\Windows\Explorer.EXE[2492] msvcrt.dll!system 7576804B 5 Bytes JMP 00070029
.text C:\Windows\Explorer.EXE[2492] msvcrt.dll!_creat 7576BBE1 5 Bytes JMP 00070FD4
.text C:\Windows\Explorer.EXE[2492] msvcrt.dll!_open 7576D106 5 Bytes JMP 0007000C
.text C:\Windows\Explorer.EXE[2492] msvcrt.dll!_wcreat 7576D326 5 Bytes JMP 00070FB9
.text C:\Windows\Explorer.EXE[2492] msvcrt.dll!_wopen 7576D501 5 Bytes JMP 00070FEF
.text C:\Windows\Explorer.EXE[2492] WS2_32.dll!socket 770236D1 5 Bytes JMP 036D000A
.text C:\Windows\Explorer.EXE[2492] WININET.dll!InternetOpenA 769AD690 5 Bytes JMP 03760FEF
.text C:\Windows\Explorer.EXE[2492] WININET.dll!InternetOpenW 769ADB09 5 Bytes JMP 0376000A
.text C:\Windows\Explorer.EXE[2492] WININET.dll!InternetOpenUrlA 769AF3A4 5 Bytes JMP 03760FD4
.text C:\Windows\Explorer.EXE[2492] WININET.dll!InternetOpenUrlW 769F6DDF 5 Bytes JMP 03760025

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D97817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73DEA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73D9BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73D8F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D975E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73D8E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73DC8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73D9DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73D8FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73D8FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73D871CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73E1CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73DBC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73D8D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73D86853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73D8687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73D92AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [016C2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [016C2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [016C2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\Explorer.EXE[2492] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [016C2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe[2872] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe[2872] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe[2872] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe[2872] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\system32\taskeng.exe[4160] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [000A2F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\system32\taskeng.exe[4160] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [000A2D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\system32\taskeng.exe[4160] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [000A2CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Windows\system32\taskeng.exe[4160] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [000A2CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Ryan\Desktop\3jmdp0fy.exe[6084] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00172F30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Ryan\Desktop\3jmdp0fy.exe[6084] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtClose] [00172D00] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Ryan\Desktop\3jmdp0fy.exe[6084] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00172CA0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Users\Ryan\Desktop\3jmdp0fy.exe[6084] @ C:\Windows\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00172CD0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0xF3 0x96 0x8C 0x47 ...

---- EOF - GMER 1.0.15 ----


Malwarebytes' Anti-Malware 1.41
Database version: 3239
Windows 6.0.6002 Service Pack 2

26/11/2009 9:58:48 PM
mbam-log-2009-11-26 (21-58-48).txt

Scan type: Quick Scan
Objects scanned: 102479
Time elapsed: 3 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:20 AM

Posted 27 November 2009 - 08:34 AM

Hi,

this looks good. :( Just to be safe I would like to run a scan with Eset:

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 delldummy99

delldummy99
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:20 AM

Posted 27 November 2009 - 11:33 PM

ESET did not find any threats. Thanks for all your help Myrti!

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:20 AM

Posted 28 November 2009 - 12:42 PM

Hi,

that looks good please, upgrade your java as a next step:
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 17.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u17-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

regards myrti.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,779 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:20 AM

Posted 21 December 2009 - 08:21 AM

Due to lack of feedback, this topic is now Closed

If you need this topic reopened, please send me a PM.
Please include the address of this thread in your request.
This applies only to the original topic starter.

Everyone else please start a new topic.

With Regards,
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users