Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-up virus


  • This topic is locked This topic is locked
7 replies to this topic

#1 steve498

steve498

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 06 December 2009 - 08:58 PM

When I do a Google search and click on the listings, I am redirected to a random page. I am also experiencing Google pop-up pages with a foreign language on the page. I've also recently had false infection warnings.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Steve at 19:01:17.18 on Sun 12/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.282 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\McAfee\MSM\McSmtFwk.exe
C:\PROGRA~1\COMMON~1\McAfee\MSC\McUICnt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sheboygan.k12.wi.us/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk-rel/en/side.html?channel=us
BHO: rsion - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.freeonlinegames.com/games/ski3d/index_no.html"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://www.shockwave.com/content/cookingdash/sis/CookingDashWeb.1.0.0.9.cab
DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} - hxxp://download.gamedesire.com/g_bin/eng/cards_2_0_0_77.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} - hxxp://www.shockwave.com/content/dinerdash2/sis/DinerDash2.1.0.0.67.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.cmphotocenter.com/is/DragDropUploader.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/zuma/sis/popcaploader_v10.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} - hxxp://www.shockwave.com/content/dreamchronicles2/sis/dream2web.1.0.0.13.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 91.212.127.226 os-guardpro.com
Hosts: 91.212.127.226 www.os-guardpro.com
Hosts: 192.168.1.3 HP001560465FC9

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\steve\applic~1\mozilla\firefox\profiles\d8g6hiq0.default\
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-17 64160]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-9-16 214664]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1028432]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-10-28 93320]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-10-28 359952]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-10-28 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-10-28 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-10-28 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-10-28 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-10-28 40552]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-10-28 34248]

=============== Created Last 30 ================

2009-12-04 11:54:04 0 d-----w- c:\windows\system32\wbem\Repository
2009-12-04 11:53:23 0 d-----w- c:\program files\Crazy Machines - New Challenges Demo
2009-12-04 11:53:06 0 d-----w- c:\program files\Crazy Machines II Demo
2009-12-04 11:52:41 0 d-----w- c:\program files\Pet Vet
2009-12-04 11:50:23 0 d-----w- c:\program files\Atari
2009-12-04 11:45:58 0 d-----w- c:\program files\Yahoo!
2009-12-04 11:45:58 0 d-----w- c:\program files\PopCap Games
2009-12-04 11:45:58 0 d-----w- c:\program files\PlayFirst
2009-12-04 11:45:58 0 d-----w- c:\program files\Nick Arcade
2009-12-04 11:45:49 0 d-----w- c:\program files\Hasbro Interactive
2009-12-04 11:45:49 0 d-----w- c:\program files\GameHouse
2009-12-04 11:45:45 0 d-----w- c:\program files\Firaxis Games
2009-12-04 11:41:02 0 d-----w- c:\windows\system32\URTTemp
2009-11-28 22:40:54 68951 ----a-w- c:\windows\hpoins05.dat
2009-11-28 22:40:54 19696 ------w- c:\windows\hpomdl05.dat
2009-11-25 22:10:30 0 d-----w- c:\program files\WildGames
2009-11-23 23:35:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Geek Squad
2009-11-18 16:43:03 0 d-----w- c:\program files\DivX
2009-11-18 16:40:46 54156 ---ha-w- c:\windows\QTFont.qfn
2009-11-18 16:40:46 1409 ----a-w- c:\windows\QTFont.for
2009-11-12 22:08:00 178 ----a-w- C:\handle.dat

==================== Find3M ====================

2009-10-23 11:53:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-10-23 11:53:02 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-10-22 09:19:04 5939712 ----a-w- c:\windows\system32\dllcache\mshtml.dll
2009-10-11 10:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-28 14:20:41 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-11 14:18:39 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2008-07-14 02:24:11 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008071320080714\index.dat

============= FINISH: 19:03:56.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:57 PM

Posted 07 December 2009 - 08:32 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 steve498

steve498
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 08 December 2009 - 06:53 AM

Hi, Sam. thanks for your help. Here are the results from the two scans you asked me to do. The GMER scan took a long time (just let it run overnight). I'll look forward to your response.

Steve

OTL logfile created on: 12/7/2009 7:14:37 PM - Run 1
OTL by OldTimer - Version 3.1.11.9 Folder = C:\Documents and Settings\Steve\Desktop
Windows XP Media Center Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.37 Mb Total Physical Memory | 392.78 Mb Available Physical Memory | 38.72% Memory free
2.38 Gb Paging File | 1.79 Gb Available in Paging File | 74.87% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 105.09 Gb Total Space | 29.57 Gb Free Space | 28.13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LAPTOP1
Current User Name: Steve
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009/12/07 19:13:19 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
PRC - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/10/29 06:54:44 | 01,218,008 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee.com\Agent\mcagent.exe
PRC - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MpfSrv.exe
PRC - [2009/10/11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/09/28 08:20:25 | 00,520,024 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
PRC - [2009/09/28 08:20:24 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
PRC - [2009/09/17 13:29:04 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe
PRC - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe
PRC - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe
PRC - [2009/03/08 13:09:26 | 00,638,816 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Internet Explorer\iexplore.exe
PRC - [2008/04/13 18:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/09/06 12:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2007/08/09 01:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe
PRC - [2007/07/30 15:49:36 | 00,185,632 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2007/07/10 13:02:11 | 00,067,128 | ---- | M] (Logitech Inc.) -- C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
PRC - [2007/05/02 17:16:54 | 00,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2007/02/10 04:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
PRC - [2006/08/03 18:51:42 | 01,032,192 | ---- | M] (Dell Inc) -- C:\Program Files\Dell\QuickSet\quickset.exe
PRC - [2006/03/24 23:30:44 | 00,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe
PRC - [2006/03/08 18:48:02 | 00,761,947 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2005/12/19 15:08:42 | 01,347,584 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\WLTRAY.EXE
PRC - [2005/12/19 15:08:42 | 00,018,944 | ---- | M] () -- C:\WINDOWS\system32\WLTRYSVC.EXE
PRC - [2005/12/19 15:08:40 | 01,200,128 | ---- | M] (Dell Inc.) -- C:\WINDOWS\system32\BCMWLTRY.EXE
PRC - [2005/12/13 23:45:00 | 00,118,784 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxpers.exe
PRC - [2005/12/13 23:41:08 | 00,077,824 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hkcmd.exe
PRC - [2005/12/13 23:41:00 | 00,159,744 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\igfxsrvc.exe
PRC - [2004/12/06 01:05:00 | 00,127,035 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\dla\tfswctrl.exe
PRC - [2004/11/04 19:50:52 | 00,053,248 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
PRC - [2004/11/04 18:28:24 | 00,258,048 | ---- | M] (Hewlett-Packard Co.) -- C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
PRC - [2004/08/10 05:00:00 | 00,016,896 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\unsecapp.exe
PRC - [2004/07/27 16:50:18 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2003/11/07 03:50:00 | 00,019,968 | ---- | M] (Logitech Inc.) -- C:\WINDOWS\LOGI_MWX.EXE
PRC - [2003/10/29 02:06:00 | 00,024,576 | ---- | M] (BVRP Software) -- C:\Program Files\Digital Line Detect\DLG.exe
PRC - [2003/09/10 02:24:00 | 00,020,480 | ---- | M] () -- C:\Program Files\NetWaiting\netwaiting.exe


========== Modules (SafeList) ==========

MOD - [2009/12/07 19:13:19 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
MOD - [2009/11/23 10:38:10 | 00,014,544 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\sahook.dll
MOD - [2006/08/03 18:52:00 | 00,073,728 | ---- | M] () -- C:\Program Files\Dell\QuickSet\dadkeyb.dll
MOD - [2005/12/13 23:39:58 | 00,073,728 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\hccutils.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/11/12 17:06:04 | 00,093,320 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/10/27 11:19:46 | 00,895,696 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MPF\MPFSrv.exe -- (MpfService)
SRV - [2009/10/15 15:49:26 | 00,238,328 | ---- | M] (WildTangent, Inc.) -- C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2009/10/11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/09/28 08:20:24 | 01,028,432 | ---- | M] (Lavasoft) -- C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe -- (Lavasoft Ad-Aware Service)
SRV - [2009/09/17 13:29:04 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc)
SRV - [2009/09/16 10:23:32 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcods.exe -- (McODS)
SRV - [2009/09/16 09:22:08 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\Mcshield.exe -- (McShield)
SRV - [2009/09/16 08:28:38 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\VirusScan\mcsysmon.exe -- (McSysmon)
SRV - [2009/07/08 10:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/07/07 18:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\MNA\McNASvc.exe -- (McNASvc)
SRV - [2007/09/26 13:41:56 | 00,503,608 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2007/09/06 12:28:18 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2007/08/09 01:27:52 | 00,073,728 | ---- | M] (HP) -- C:\WINDOWS\system32\HPZipm12.exe -- (Pml Driver HPZ12)
SRV - [2007/02/10 04:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter)
SRV - [2005/12/19 15:08:42 | 00,018,944 | ---- | M] () -- C:\WINDOWS\System32\WLTRYSVC.EXE -- (wltrysvc)
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2003/07/28 11:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/hws/sb/dell-usuk-rel...html?channel=us
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost



IE - HKU\S-1-5-21-457152051-4210908966-901697037-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3061204
IE - HKU\S-1-5-21-457152051-4210908966-901697037-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-457152051-4210908966-901697037-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.sheboygan.k12.wi.us/
IE - HKU\S-1-5-21-457152051-4210908966-901697037-1006\S-1-5-21-457152051-4210908966-901697037-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-457152051-4210908966-901697037-1006\S-1-5-21-457152051-4210908966-901697037-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = localhost

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Program Files\Real\RealPlayer\browserrecord [2007/07/30 15:50:15 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2009/12/04 17:26:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/13 09:10:55 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/12 16:22:59 | 00,000,000 | ---D | M]

[2009/08/30 16:26:37 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Mozilla\Extensions
[2009/12/04 05:50:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Mozilla\Firefox\Profiles\d8g6hiq0.default\extensions
[2009/12/04 05:39:55 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions

O1 HOSTS File: (178 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.226 os-guardpro.com
O1 - Hosts: 91.212.127.226 www.os-guardpro.com
O1 - Hosts: 192.168.1.3 HP001560465FC9
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (no name) - rsion - No CLSID value found.
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (Lavasoft)
O4 - HKLM..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.EXE (Dell Inc.)
O4 - HKLM..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe (Dell Inc)
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe (Sonic Solutions)
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [Logitech Utility] C:\WINDOWS\LOGI_MWX.EXE (Logitech Inc.)
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKU\S-1-5-21-457152051-4210908966-901697037-1006..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netwaiting.exe ()
O4 - HKU\S-1-5-21-457152051-4210908966-901697037-1006..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -Mozilla\4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident\4.0; File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe (BVRP Software)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe (Hewlett-Packard Co.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe (Logitech Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallVisualStyle = C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles (Microsoft)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: InstallTheme = C:\WINDOWS\Resources\Themes\Royale.theme ()
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-457152051-4210908966-901697037-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Juniper Networks\Secure Application Manager\samnsp.dll (Juniper Networks)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/7.../OGAControl.cab (Office Genuine Advantage Validation Tool)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab (StagingUI Object)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/2008.1...toUploader5.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} http://www.musicnotes.com/download/mnviewer.cab (Musicnotes Viewer)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} http://www.shockwave.com/content/cookingda...Web.1.0.0.9.cab (CPlayFirstCookingDasControl Object)
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} http://download.gamedesire.com/g_bin/eng/cards_2_0_0_77.cab (GameDesire Card Games)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} http://photos.walmart.com/WalmartActivia.cab (Snapfish Activia)
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab (ZonePAChat Object)
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} http://www.shockwave.com/content/dinerdash...h2.1.0.0.67.cab (CPlayFirstDinerDash2Control Object)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/2009.0...oUploader55.cab (Facebook Photo Uploader 5 Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} http://www.sibelius.com/download/software/...tiveXPlugin.cab (ScorchPlugin Class)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab (MSN Games - Installer)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (Office Update Installation Engine)
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} http://www.cmphotocenter.com/is/DragDropUploader.cab (Pixami Drag/Drop Upload UI Control)
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} http://zone.msn.com/binframework/v10/StProxy.cab55579.cab (MSN Games – Game Communicator)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.shockwave.com/content/zuma/sis/...ploader_v10.cab (PopCapLoader Object)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E41BA393-9078-424E-9554-9DB5126F5F4C} http://www.shockwave.com/content/dreamchro...eb.1.0.0.13.cab (CPlayFirstDreamChronControl Object)
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab64162.cab (MSN Games – Backgammon)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\bwfile-8876480 {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll (Logitech Inc.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\__c002917: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/16 04:43:04 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{64fe0824-3fda-11dc-abb4-0015c5c4138f}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{64fe0824-3fda-11dc-abb4-0015c5c4138f}\Shell\default\command - "" = a.exe
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2005/08/16 04:22:48 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (68964818152849408)

========== Files/Folders - Created Within 14 Days ==========

[2009/12/07 19:13:08 | 00,536,576 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2009/12/06 19:16:10 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Steve\Desktop\RootRepeal.exe
[2009/12/05 10:25:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\Local Settings\Application Data\PCHealth
[2009/12/04 05:53:23 | 00,000,000 | ---D | C] -- C:\Program Files\Crazy Machines - New Challenges Demo
[2009/12/04 05:53:06 | 00,000,000 | ---D | C] -- C:\Program Files\Crazy Machines II Demo
[2009/12/04 05:52:41 | 00,000,000 | ---D | C] -- C:\Program Files\Pet Vet
[2009/12/04 05:50:23 | 00,000,000 | ---D | C] -- C:\Program Files\Atari
[2009/12/04 05:50:10 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
[2009/12/04 05:46:24 | 00,000,000 | RH-D | C] -- C:\Documents and Settings\Steve\Recent
[2009/12/04 05:45:58 | 00,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2009/12/04 05:45:58 | 00,000,000 | ---D | C] -- C:\Program Files\PopCap Games
[2009/12/04 05:45:58 | 00,000,000 | ---D | C] -- C:\Program Files\PlayFirst
[2009/12/04 05:45:58 | 00,000,000 | ---D | C] -- C:\Program Files\Nick Arcade
[2009/12/04 05:45:49 | 00,000,000 | ---D | C] -- C:\Program Files\Hasbro Interactive
[2009/12/04 05:45:49 | 00,000,000 | ---D | C] -- C:\Program Files\GameHouse
[2009/12/04 05:45:45 | 00,000,000 | ---D | C] -- C:\Program Files\Firaxis Games
[2009/12/04 05:41:02 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\URTTemp
[2009/11/28 16:09:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\My Documents\Downloads
[2009/11/28 15:28:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Steve\My Documents\register backup
[2009/11/25 16:10:30 | 00,000,000 | ---D | C] -- C:\Program Files\WildGames
[4 C:\*.tmp files -> C:\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009/12/07 19:17:00 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{2D7BEABB-8600-4D84-ABE6-F6833A458C84}.job
[2009/12/07 19:13:19 | 00,536,576 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Steve\Desktop\OTL.exe
[2009/12/07 19:03:27 | 00,016,615 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/12/07 19:02:17 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/12/07 18:28:53 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/12/07 18:28:45 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/12/07 18:28:44 | 10,637,14816 | -HS- | M] () -- C:\hiberfil.sys
[2009/12/06 22:50:21 | 06,291,456 | ---- | M] () -- C:\Documents and Settings\Steve\ntuser.dat
[2009/12/06 22:48:30 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\Steve\ntuser.ini
[2009/12/06 19:16:38 | 00,000,000 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\settings.dat
[2009/12/06 19:16:36 | 00,472,064 | ---- | M] ( ) -- C:\Documents and Settings\Steve\Desktop\RootRepeal.exe
[2009/12/06 19:01:10 | 00,524,288 | ---- | M] () -- C:\Documents and Settings\Steve\Desktop\dds.scr
[2009/12/04 23:40:34 | 00,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/12/03 21:46:36 | 00,870,128 | ---- | M] () -- C:\Documents and Settings\Steve\Application Data\mcs.rma
[2009/12/03 21:46:36 | 00,000,004 | ---- | M] () -- C:\Documents and Settings\Steve\Application Data\94ADF8
[2009/11/28 16:58:21 | 00,068,951 | ---- | M] () -- C:\WINDOWS\hpoins05.dat
[2009/11/28 16:56:48 | 00,000,966 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/24 21:47:06 | 00,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[4 C:\*.tmp files -> C:\*.tmp -> ]
[2 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009/12/06 19:16:38 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\settings.dat
[2009/12/06 19:00:24 | 00,524,288 | ---- | C] () -- C:\Documents and Settings\Steve\Desktop\dds.scr
[2009/12/04 23:40:30 | 00,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2009/11/28 22:56:42 | 00,001,851 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Storybook Creator 3.0.lnk
[2009/11/28 16:40:54 | 00,068,951 | ---- | C] () -- C:\WINDOWS\hpoins05.dat
[2009/11/28 16:40:54 | 00,019,696 | ---- | C] () -- C:\WINDOWS\hpomdl05.dat
[2009/07/18 10:08:49 | 08,892,928 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\atscie.msi
[2009/04/14 05:23:48 | 00,000,057 | ---- | C] () -- C:\WINDOWS\DRAGDR~1.INI
[2009/04/03 21:32:20 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\MSVCRT10.DLL
[2009/01/24 15:19:12 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Game.INI
[2008/12/28 12:43:03 | 00,001,700 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/12/13 16:14:38 | 00,000,000 | ---- | C] () -- C:\WINDOWS\PhantomOfVenice.INI
[2008/12/09 22:52:28 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Curses.INI
[2008/09/09 21:06:55 | 00,000,146 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008/08/24 21:41:49 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\ZLIB.DLL
[2008/08/24 21:41:47 | 00,307,200 | ---- | C] () -- C:\WINDOWS\System32\ExportModeller.dll
[2008/08/24 21:41:47 | 00,100,352 | ---- | C] () -- C:\WINDOWS\System32\pg32conv.dll
[2008/08/24 21:41:47 | 00,049,223 | ---- | C] () -- C:\WINDOWS\System32\crtslv.dll
[2008/07/26 08:08:50 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/07/24 20:32:12 | 00,870,128 | ---- | C] () -- C:\Documents and Settings\Steve\Application Data\mcs.rma
[2008/07/24 20:32:12 | 00,000,004 | ---- | C] () -- C:\Documents and Settings\Steve\Application Data\94ADF8
[2008/06/25 07:19:42 | 00,010,240 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/05/19 22:35:33 | 00,003,399 | R--- | C] () -- C:\WINDOWS\System32\hptcpmon.ini
[2008/05/19 22:35:33 | 00,000,145 | ---- | C] () -- C:\WINDOWS\System32\AddPort.ini
[2008/05/19 21:08:43 | 00,001,174 | ---- | C] () -- C:\WINDOWS\hpntwksetup.ini
[2008/05/19 21:04:33 | 00,008,959 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2008/02/08 18:15:24 | 00,000,390 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2007/11/15 16:41:33 | 00,000,181 | ---- | C] () -- C:\WINDOWS\civ.ini
[2007/08/06 22:27:09 | 00,000,008 | ---- | C] () -- C:\WINDOWS\ctrdmrd3.ini
[2007/07/22 16:39:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2007/07/22 16:39:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2007/07/22 16:39:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2007/07/22 16:39:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2007/07/22 16:39:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2007/07/22 16:39:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2007/07/22 16:39:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2007/07/22 16:39:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2007/07/22 16:39:26 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2007/06/25 19:34:26 | 00,070,400 | ---- | C] () -- C:\WINDOWS\System32\PhysXLoader.dll
[2007/04/05 12:30:54 | 00,000,759 | ---- | C] () -- C:\WINDOWS\KA.INI
[2007/03/10 23:16:51 | 00,000,018 | -H-- | C] () -- C:\WINDOWS\System32\swp_CTasw.ini
[2007/03/05 12:34:28 | 00,676,224 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/01/20 10:09:15 | 00,000,187 | ---- | C] () -- C:\Documents and Settings\Steve\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
[2006/12/08 17:18:09 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006/12/08 16:56:05 | 00,000,128 | ---- | C] () -- C:\Documents and Settings\Steve\Local Settings\Application Data\fusioncache.dat
[2006/12/04 08:36:18 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2006/12/04 08:22:41 | 00,000,138 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2006/12/04 08:18:58 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/12/04 07:42:26 | 00,016,480 | ---- | C] () -- C:\WINDOWS\System32\rixdicon.dll
[2006/12/04 07:42:12 | 00,086,016 | ---- | C] () -- C:\WINDOWS\System32\preflib.dll
[2006/12/04 07:42:08 | 00,757,760 | ---- | C] () -- C:\WINDOWS\System32\bcm1xsup.dll
[2006/12/04 07:42:02 | 00,000,391 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2006/02/09 13:46:30 | 00,106,496 | ---- | C] () -- C:\WINDOWS\System32\VSHP1020.DLL
[2005/08/16 04:37:24 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/05 14:01:54 | 00,235,008 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2005/04/09 17:04:54 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\px.ini
[2004/08/03 22:59:44 | 00,096,512 | ---- | C] () -- C:\WINDOWS\System32\drivers\atapi.sys
[2003/01/07 14:05:08 | 00,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI

========== LOP Check ==========

[2008/12/20 21:32:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\2DBoy
[2007/08/23 12:53:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\7Wonders2
[2009/04/16 17:44:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\blg
[2008/12/20 09:00:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Caspedia
[2005/08/16 20:54:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\DIGStream
[2008/09/30 17:27:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\eGames
[2009/02/24 16:11:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Enkord
[2008/07/13 20:38:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Escape From Paradise
[2009/04/17 16:35:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\EscapeTheMuseum
[2007/09/08 20:23:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\FloodLightGames
[2007/12/04 16:53:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Fugazo
[2009/11/23 17:35:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Geek Squad
[2009/03/04 15:30:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Gogii
[2008/12/19 11:07:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\HipSoft
[2006/12/17 11:45:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\iWin
[2008/11/09 13:03:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\JollyBear
[2009/05/07 15:25:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MumboJumbo
[2008/03/26 13:55:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Musicnotes
[2007/10/20 11:14:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NannyMania
[2008/10/03 17:30:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Oberon Games
[2008/11/13 17:53:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PlayFirst
[2007/07/23 22:11:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2009/01/09 16:20:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Sandlot Games
[2007/10/12 15:41:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Shockwave
[2007/03/10 23:15:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\shockwave.com
[2007/12/31 15:52:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\SpinTop Games
[2009/06/22 10:05:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2009/06/20 19:55:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UClick
[2007/02/09 14:36:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009/11/25 16:14:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildTangent
[2009/03/16 11:36:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WildWestQuest2
[2008/08/25 18:31:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\YAHOO
[2007/09/27 15:11:24 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Zylom
[2009/05/17 08:18:35 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
[2009/06/18 15:03:14 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Debbie\Application Data\Atari
[2009/06/03 16:14:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Debbie\Application Data\Caspedia
[2008/05/28 09:40:29 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Debbie\Application Data\Image Zone Express
[2008/12/04 12:42:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Debbie\Application Data\Juniper Networks
[2007/11/13 09:58:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Debbie\Application Data\Snapfish
[2008/01/12 09:48:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Debbie\Application Data\Walgreens
[2007/10/01 21:01:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Default User\Application Data\Juniper Networks
[2008/07/26 08:08:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gabriella\Application Data\Atari
[2008/09/30 17:26:42 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gabriella\Application Data\eGames
[2008/12/06 17:55:18 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gabriella\Application Data\Home Sweet Home
[2006/12/17 11:45:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gabriella\Application Data\iWin
[2007/09/21 12:38:53 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gabriella\Application Data\Juniper Networks
[2008/07/26 08:05:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gabriella\Application Data\Leadertech
[2008/12/17 15:52:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gabriella\Application Data\MysteryStudio
[2007/11/09 12:59:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gabriella\Application Data\PlayFirst
[2006/12/17 11:37:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Gabriella\Application Data\WildTangent
[2008/07/27 10:36:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Atari
[2009/04/16 17:44:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\blg
[2008/10/01 15:25:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\eGames
[2009/05/16 08:25:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Friday's games
[2007/11/12 16:03:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Gaijin Ent
[2009/06/07 12:31:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\GOL_byHasbro
[2008/12/11 16:19:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Home Sweet Home
[2008/10/03 17:50:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Jane s Hotel
[2007/09/23 11:24:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Juniper Networks
[2007/07/08 10:39:55 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Leadertech
[2008/02/08 16:23:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\My Games
[2008/11/16 12:06:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\MysteryStudio
[2008/10/03 17:30:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Oberon Games
[2009/04/22 14:50:47 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\PlayFirst
[2007/10/12 14:51:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Sandlot Games
[2008/10/03 18:23:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\Wildgames_JanesRealty
[2007/02/24 09:43:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Katarina\Application Data\WildTangent
[2007/10/14 12:05:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
[2009/12/04 05:46:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\SACore
[2007/09/21 16:01:06 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Application Data\Juniper Networks
[2009/12/04 05:51:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Atari
[2007/09/08 20:23:45 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\FloodLightGames
[2008/08/17 16:57:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\GanymedeNet
[2007/09/21 15:56:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Juniper Networks
[2008/07/10 21:09:52 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\OfficeUpdate12
[2008/10/25 12:18:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\PlayFirst
[2007/03/10 23:15:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\shockwave.com
[2009/06/20 19:55:25 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\UClick
[2008/11/30 14:24:38 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Unity
[2007/02/09 14:36:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\Viewpoint
[2006/12/16 15:29:36 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Steve\Application Data\WildTangent
[2009/11/23 09:20:28 | 00,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
[2009/10/28 21:05:48 | 00,000,340 | ---- | M] () -- C:\WINDOWS\Tasks\McDefragTask.job
[2009/10/28 21:05:46 | 00,000,318 | ---- | M] () -- C:\WINDOWS\Tasks\McQcTask.job
[2009/12/07 19:17:00 | 00,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\User_Feed_Synchronization-{2D7BEABB-8600-4D84-ABE6-F6833A458C84}.job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 12:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\i386\AGP440.SYS
[2004/08/03 23:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\i386\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 22:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386\atapi.sys
[2008/04/13 12:40:30 | 00,096,512 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 18:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/10 05:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\i386\eventlog.dll
[2004/08/10 05:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 18:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/10 05:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\i386\netlogon.dll
[2004/08/10 05:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004/08/10 05:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\i386\scecli.dll
[2004/08/10 05:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 18:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll

< %systemroot%\*. /mp /s >

< >

========== Alternate Data Streams ==========

@Alternate Data Stream - 97 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EAA01E60
@Alternate Data Stream - 166 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EE1F3AC9
@Alternate Data Stream - 149 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:32A5186C
@Alternate Data Stream - 145 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:98F0614F
@Alternate Data Stream - 142 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:521B9AFB
@Alternate Data Stream - 140 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8205E3E
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CA4300C6
@Alternate Data Stream - 136 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:80ED6380
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:23144F52
@Alternate Data Stream - 135 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:20C69EEE
@Alternate Data Stream - 133 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CE524528
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6D6C4572
@Alternate Data Stream - 130 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:57648A0A
@Alternate Data Stream - 129 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:182D85B1
@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:CF652417
@Alternate Data Stream - 122 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5200349E
@Alternate Data Stream - 120 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6B520784
@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:701AFF06
@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:F69BB936
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9FC5F43A
@Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5D7E3061
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:9E1C306C
@Alternate Data Stream - 114 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:3EA7510F
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A1D3FEF0
@Alternate Data Stream - 113 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:52562F72
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:EDDEC855
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:BC9021B2
@Alternate Data Stream - 111 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:415BC428
@Alternate Data Stream - 107 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:8D0C3F21
@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
< End of report >




GMER 1.0.15.15272 - http://www.gmer.net
Rootkit scan 2009-12-08 05:47:55
Windows 5.1.2600 Service Pack 3
Running: 0e53eout.exe; Driver: C:\DOCUME~1\Steve\LOCALS~1\Temp\uxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF760D87E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF760DBFE]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xA9FDA78A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xA9FDA738]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xA9FDA74C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xA9FDA837]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xA9FDA863]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xA9FDA8D1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xA9FDA8BB]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xA9FDA7CA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xA9FDA8FD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xA9FDA80D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xA9FDA710]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xA9FDA724]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xA9FDA79E]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xA9FDA939]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xA9FDA8A5]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xA9FDA88F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xA9FDA84D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xA9FDA925]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xA9FDA911]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xA9FDA776]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xA9FDA762]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xA9FDA7F9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xA9FDA8E7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xA9FDA7E0]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xA9FDA7B4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 80504AE8 7 Bytes JMP A9FDA7B8 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtCreateFile 80579084 5 Bytes JMP A9FDA78E \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtMapViewOfSection 805B2004 7 Bytes JMP A9FDA7CE \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnmapViewOfSection 805B2E12 5 Bytes JMP A9FDA7E4 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwProtectVirtualMemory 805B83E8 7 Bytes JMP A9FDA7A2 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenProcess 805CB40A 5 Bytes JMP A9FDA714 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtOpenThread 805CB696 5 Bytes JMP A9FDA728 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!NtSetInformationProcess 805CDE54 5 Bytes JMP A9FDA766 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1144 7 Bytes JMP A9FDA750 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwCreateProcess 805D11FA 5 Bytes JMP A9FDA73C \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwSetContextThread 805D1704 5 Bytes JMP A9FDA77A \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwTerminateProcess 805D29AC 5 Bytes JMP A9FDA7FD \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryValueKey 806219EA 7 Bytes JMP A9FDA893 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwUnloadKey 80622062 7 Bytes JMP A9FDA8EB \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryMultipleValueKey 80622900 7 Bytes JMP A9FDA8A9 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRenameKey 806231D4 7 Bytes JMP A9FDA851 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteKey 80623C42 7 Bytes JMP A9FDA83B \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwDeleteValueKey 80623E12 7 Bytes JMP A9FDA867 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey 80623FF2 2 Bytes JMP A9FDA8D5 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwEnumerateKey + 3 80623FF5 4 Bytes [9B, 29, 90, 90]
PAGE ntkrnlpa.exe!ZwEnumerateValueKey 8062425C 7 Bytes JMP A9FDA8BF \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwOpenKey 80624B84 5 Bytes JMP A9FDA811 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwQueryKey 80624EAA 7 Bytes JMP A9FDA93D \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwRestoreKey 8062516A 5 Bytes JMP A9FDA915 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwReplaceKey 8062585E 5 Bytes JMP A9FDA929 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
PAGE ntkrnlpa.exe!ZwNotifyChangeKey 80625978 5 Bytes JMP A9FDA901 \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
.rsrc C:\WINDOWS\system32\drivers\atapi.sys entry point in ".rsrc" section [0xF74367AC]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001E0FE5
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001E0042
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001E0F57
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001E0025
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001E0F68
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001E0F83
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001E0084
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001E0073
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001E0F10
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001E0F2B
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001E0EFF
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001E0000
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001E0FD4
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001E0F3C
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001E0F9E
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001E0FAF
.text C:\WINDOWS\System32\svchost.exe[656] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001E00A9
.text C:\WINDOWS\System32\svchost.exe[656] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FB6
.text C:\WINDOWS\System32\svchost.exe[656] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D003D
.text C:\WINDOWS\System32\svchost.exe[656] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0011
.text C:\WINDOWS\System32\svchost.exe[656] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0000
.text C:\WINDOWS\System32\svchost.exe[656] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D002C
.text C:\WINDOWS\System32\svchost.exe[656] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\System32\svchost.exe[656] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0F8A
.text C:\WINDOWS\System32\svchost.exe[656] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\System32\svchost.exe[656] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0FA5
.text C:\WINDOWS\System32\svchost.exe[656] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 0042003F
.text C:\WINDOWS\System32\svchost.exe[656] msvcrt.dll!system 77C293C7 5 Bytes JMP 0042002E
.text C:\WINDOWS\System32\svchost.exe[656] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00420FD2
.text C:\WINDOWS\System32\svchost.exe[656] msvcrt.dll!_open 77C2F566 5 Bytes JMP 0042000C
.text C:\WINDOWS\System32\svchost.exe[656] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 0042001D
.text C:\WINDOWS\System32\svchost.exe[656] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00420FEF
.text C:\WINDOWS\System32\svchost.exe[656] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00720000
.text C:\WINDOWS\System32\svchost.exe[656] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00720FE5
.text C:\WINDOWS\System32\svchost.exe[656] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00720011
.text C:\WINDOWS\System32\svchost.exe[656] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00720022
.text C:\WINDOWS\System32\svchost.exe[656] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C70000
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[672] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0041C130 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe[672] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0041C1B0 c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe (McAfee Proxy Service Module/McAfee, Inc.)
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00FF0FEF
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00FF008C
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00FF0FA1
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00FF006F
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00FF0FB2
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00FF0FDE
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00FF00B8
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00FF00A7
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00FF0F1F
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00FF0F3A
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00FF00D3
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00FF0FC3
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00FF000A
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00FF0F86
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00FF0040
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00FF002F
.text C:\WINDOWS\system32\services.exe[916] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00FF0F55
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00070025
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00070FA5
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00070FD4
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00070FEF
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00070062
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0007000A
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00070051
.text C:\WINDOWS\system32\services.exe[916] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00070040
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00060F83
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!system 77C293C7 5 Bytes JMP 00060F9E
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00060018
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00060FEF
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00060FC3
.text C:\WINDOWS\system32\services.exe[916] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00060FDE
.text C:\WINDOWS\system32\services.exe[916] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00040000
.text C:\WINDOWS\system32\services.exe[916] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00040FEF
.text C:\WINDOWS\system32\services.exe[916] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00040FD4
.text C:\WINDOWS\system32\services.exe[916] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00040FB9
.text C:\WINDOWS\system32\services.exe[916] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00050FEF
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E60F1C
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E60F37
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E60F54
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E60F65
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E60FA5
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E60EBF
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E60EE6
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E60E78
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E60E93
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E60E5D
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E60F80
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E60000
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E60EF7
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E60011
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E60FC0
.text C:\WINDOWS\system32\lsass.exe[928] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E60EA4
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E50FDB
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E5005B
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E5002C
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E50F9E
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00E50FB9
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [05, 89]
.text C:\WINDOWS\system32\lsass.exe[928] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E50FCA
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E40058
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E4003D
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E40022
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E40000
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E40FCD
.text C:\WINDOWS\system32\lsass.exe[928] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E40011
.text C:\WINDOWS\system32\lsass.exe[928] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DF0000
.text C:\WINDOWS\system32\lsass.exe[928] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00DA0FEF
.text C:\WINDOWS\system32\lsass.exe[928] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00DA0FDE
.text C:\WINDOWS\system32\lsass.exe[928] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00DA000A
.text C:\WINDOWS\system32\lsass.exe[928] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00DA0FB9
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00EE0FEF
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00EE0F5E
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00EE0F79
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00EE0F8A
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00EE0F9B
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00EE002C
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00EE008B
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00EE007A
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00EE0F0D
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00EE00A6
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00EE00B7
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00EE003D
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00EE000A
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81D83F 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00EE0F43
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00EE0FCA
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00EE001B
.text C:\WINDOWS\system32\svchost.exe[1124] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00EE0F28
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00ED0FB2
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00ED0F6B
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00ED0FC3
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00ED0FDE
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00ED0F7C
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00ED0FEF
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00ED0F8D
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [0D, 89]
.text C:\WINDOWS\system32\svchost.exe[1124] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00ED0014
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00EC0044
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!system 77C293C7 5 Bytes JMP 00EC0033
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00EC0011
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00EC0FEF
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00EC0022
.text C:\WINDOWS\system32\svchost.exe[1124] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00EC0000
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E20FEF
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E20014
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E20FDE
.text C:\WINDOWS\system32\svchost.exe[1124] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E20FCD
.text C:\WINDOWS\system32\svchost.exe[1124] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 01010000
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 010100A0
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 01010085
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01010FA1
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 0101005E
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 01010FC3
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 01010F7F
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 01010F90
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 01010107
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 010100EC
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 01010122
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 01010FB2
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 01010025
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 010100BB
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 01010FD4
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 01010FE5
.text C:\WINDOWS\system32\svchost.exe[1204] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 01010F6E
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00FF0FB9
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00FF0F79
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00FF0FD4
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00FF0FE5
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00FF0036
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00FF0000
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00FF0025
.text C:\WINDOWS\system32\svchost.exe[1204] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00FF0F9E
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00FE004E
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!system 77C293C7 5 Bytes JMP 00FE0FC3
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00FE0033
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00FE0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00FE0FD4
.text C:\WINDOWS\system32\svchost.exe[1204] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00FE0018
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00FC0000
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00FC0FEF
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00FC0025
.text C:\WINDOWS\system32\svchost.exe[1204] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00FC0FD4
.text C:\WINDOWS\system32\svchost.exe[1204] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00FD0000
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 016D0FEF
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 016D0F63
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 016D0F7E
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 016D0FA5
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 016D0058
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 016D0047
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 016D0F35
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 016D007D
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 016D00BA
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 016D00A9
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 016D00CB
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 016D0FB6
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 016D0000
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 016D0F52
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 016D002C
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 016D001B
.text C:\WINDOWS\System32\svchost.exe[1296] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 016D008E
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 016C0FAF
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 016C0040
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 016C000A
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 016C0FD4
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 016C002F
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 016C0FE5
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 016C0F83
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8C, 89]
.text C:\WINDOWS\System32\svchost.exe[1296] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 016C0F94
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 016B0FBE
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!system 77C293C7 5 Bytes JMP 016B0049
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 016B001D
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_open 77C2F566 5 Bytes JMP 016B0000
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 016B0038
.text C:\WINDOWS\System32\svchost.exe[1296] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 016B0FE3
.text C:\WINDOWS\System32\svchost.exe[1296] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 01690000
.text C:\WINDOWS\System32\svchost.exe[1296] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 01690FE5
.text C:\WINDOWS\System32\svchost.exe[1296] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 01690FD4
.text C:\WINDOWS\System32\svchost.exe[1296] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 01690FB9
.text C:\WINDOWS\System32\svchost.exe[1296] WS2_32.dll!socket 71AB4211 5 Bytes JMP 016A0FEF
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00A80000
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00A8006E
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00A80F79
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00A80F8A
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00A80F9B
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00A80FB6
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00A800AD
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00A80090
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A800C8
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A80F2F
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00A80F0A
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00A8003D
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00A80011
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00A8007F
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00A8002C
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00A80FD1
.text C:\WINDOWS\system32\svchost.exe[1384] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00A80F4A
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00A7000A
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00A70F83
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00A70FB9
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00A70FD4
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00A70040
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00A70FEF
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00A70025
.text C:\WINDOWS\system32\svchost.exe[1384] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00A70F9E
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00A60047
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!system 77C293C7 5 Bytes JMP 00A6002C
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00A60011
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00A60FE3
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00A60FBC
.text C:\WINDOWS\system32\svchost.exe[1384] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00A60000
.text C:\WINDOWS\system32\svchost.exe[1384] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A40FE5
.text C:\WINDOWS\system32\svchost.exe[1384] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A40000
.text C:\WINDOWS\system32\svchost.exe[1384] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A4001B
.text C:\WINDOWS\system32\svchost.exe[1384] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A40FCA
.text C:\WINDOWS\system32\svchost.exe[1384] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00A50FE5
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D00FEF
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 1 Byte [E9]
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D00065
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D00F70
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D00054
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D00F97
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D0002F
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D00F49
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D00091
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D00F13
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D00F2E
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D00EF8
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D00FA8
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D00000
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D00080
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D00FC3
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D00FD4
.text C:\WINDOWS\system32\svchost.exe[1492] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D000B6
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00CB001B
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00CB0073
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00CB0FCA
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00CB0000
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00CB0058
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00CB0FEF
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00CB0047
.text C:\WINDOWS\system32\svchost.exe[1492] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00CB002C
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00CA0FC1
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!system 77C293C7 5 Bytes JMP 00CA0042
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00CA0FE3
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00CA0000
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00CA0FD2
.text C:\WINDOWS\system32\svchost.exe[1492] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00CA0011
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00C80000
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00C8001B
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00C80FE5
.text C:\WINDOWS\system32\svchost.exe[1492] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00C80FD4
.text C:\WINDOWS\system32\svchost.exe[1492] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C9000A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00D20000
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00D2006E
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00D20F79
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D20F8A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00D20F9B
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00D2002C
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00D20F52
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00D2009A
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00D200CD
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00D200BC
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00D200E8
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00D2003D
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00D2001B
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00D20089
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00D20FCA
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00D20FDB
.text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00D200AB
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 006A0FC3
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 006A005B
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 006A0FD4
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 006A000A
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 006A0040
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 006A0FEF
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 006A0FA8
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [8A, 88]
.text C:\WINDOWS\system32\svchost.exe[1852] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 006A002F
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00690F88
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!system 77C293C7 5 Bytes JMP 0069001D
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 0069000C
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00690FE3
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00690FAD
.text C:\WINDOWS\system32\svchost.exe[1852] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00690FD2
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 0067000A
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00670FEF
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00670FD4
.text C:\WINDOWS\system32\svchost.exe[1852] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00670025
.text C:\WINDOWS\system32\svchost.exe[1852] WS2_32.dll!socket 71AB4211 5 Bytes JMP 0068000A
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E90000
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E9006C
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E9005B
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E90F81
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E9004A
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E90FB9
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E900A2
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E90087
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E900BD
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E90F24
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E90F13
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E90FA8
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E90FE5
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E90F5C
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E90025
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E90FCA
.text C:\WINDOWS\system32\svchost.exe[2128] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E90F3F
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E8000A
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E80F6F
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E80FB9
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E80FDE
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E80F8A
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E80FEF
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E8002C
.text C:\WINDOWS\system32\svchost.exe[2128] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E8001B
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E70FAD
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E70038
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E70FC8
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E70000
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E7001D
.text C:\WINDOWS\system32\svchost.exe[2128] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E70FE3
.text C:\WINDOWS\system32\svchost.exe[2128] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00E50000
.text C:\WINDOWS\system32\svchost.exe[2128] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\svchost.exe[2128] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00E50036
.text C:\WINDOWS\system32\svchost.exe[2128] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00E50FE5
.text C:\WINDOWS\system32\svchost.exe[2128] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00E60FEF
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00E5000A
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00E50F77
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00E50F88
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00E50FA5
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00E50062
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00E50FC0
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00E500AE
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00E50F66
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00E50F30
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00E50F41
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00E50F1F
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00E50047
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00E5001B
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00E50087
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00E50FDB
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00E50036
.text C:\WINDOWS\system32\svchost.exe[2148] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00E500BF
.text C:\WINDOWS\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00E40FB2
.text C:\WINDOWS\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00E40054
.text C:\WINDOWS\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00E40FC3
.text C:\WINDOWS\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00E40FDE
.text C:\WINDOWS\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00E40F8D
.text C:\WINDOWS\system32\svchost.exe[2148] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00E40FEF
.text C:\WINDOWS\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00E4002F
.text C:\WINDOWS\system32\svchost.exe[2148] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00E4001E
.text C:\WINDOWS\system32\svchost.exe[2148] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00E30FA8
.text C:\WINDOWS\system32\svchost.exe[2148] msvcrt.dll!system 77C293C7 5 Bytes JMP 00E3003D
.text C:\WINDOWS\system32\svchost.exe[2148] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00E30FDE
.text C:\WINDOWS\system32\svchost.exe[2148] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00E30FEF
.text C:\WINDOWS\system32\svchost.exe[2148] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00E30FCD
.text C:\WINDOWS\system32\svchost.exe[2148] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00E30018
.text C:\WINDOWS\system32\svchost.exe[2148] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 006E000A
.text C:\WINDOWS\system32\svchost.exe[2148] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 006E0025
.text C:\WINDOWS\system32\svchost.exe[2148] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 006E0036
.text C:\WINDOWS\system32\svchost.exe[2148] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 006E0FDB
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001C0FEF
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001C0F26
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001C0025
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001C0F57
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001C000A
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001C0F83
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001C0040
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001C0EFA
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001C0076
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001C0ED3
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001C0EC2
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001C0F72
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001C0FCA
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001C0F0B
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001C0F94
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001C0FAF
.text C:\WINDOWS\Explorer.EXE[2828] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001C005B
.text C:\WINDOWS\Explorer.EXE[2828] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002B003D
.text C:\WINDOWS\Explorer.EXE[2828] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002B0F9B
.text C:\WINDOWS\Explorer.EXE[2828] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002B002C
.text C:\WINDOWS\Explorer.EXE[2828] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002B0011
.text C:\WINDOWS\Explorer.EXE[2828] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002B0058
.text C:\WINDOWS\Explorer.EXE[2828] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002B0000
.text C:\WINDOWS\Explorer.EXE[2828] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002B0FB6
.text C:\WINDOWS\Explorer.EXE[2828] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4B, 88]
.text C:\WINDOWS\Explorer.EXE[2828] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002B0FC7
.text C:\WINDOWS\Explorer.EXE[2828] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0049
.text C:\WINDOWS\Explorer.EXE[2828] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0038
.text C:\WINDOWS\Explorer.EXE[2828] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C001D
.text C:\WINDOWS\Explorer.EXE[2828] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C0000
.text C:\WINDOWS\Explorer.EXE[2828] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0FBE
.text C:\WINDOWS\Explorer.EXE[2828] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C0FE3
.text C:\WINDOWS\Explorer.EXE[2828] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 002E0FEF
.text C:\WINDOWS\Explorer.EXE[2828] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 002E000A
.text C:\WINDOWS\Explorer.EXE[2828] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 002E0025
.text C:\WINDOWS\Explorer.EXE[2828] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 002E0FD4
.text C:\WINDOWS\Explorer.EXE[2828] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00C90000
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 001D0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 001D0051
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 001D0040
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 001D0F5C
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 001D0F79
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 001D0F9E
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 001D0F1A
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 001D0F35
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 001D008E
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 001D0EFF
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 001D0ED0
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 001D0025
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 001D0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 001D006C
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 001D000A
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 001D0FAF
.text C:\WINDOWS\system32\wuauclt.exe[3340] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 001D007D
.text C:\WINDOWS\system32\wuauclt.exe[3340] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 002C0FCF
.text C:\WINDOWS\system32\wuauclt.exe[3340] msvcrt.dll!system 77C293C7 5 Bytes JMP 002C0064
.text C:\WINDOWS\system32\wuauclt.exe[3340] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 002C002E
.text C:\WINDOWS\system32\wuauclt.exe[3340] msvcrt.dll!_open 77C2F566 5 Bytes JMP 002C000C
.text C:\WINDOWS\system32\wuauclt.exe[3340] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 002C0049
.text C:\WINDOWS\system32\wuauclt.exe[3340] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 002C001D
.text C:\WINDOWS\system32\wuauclt.exe[3340] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 002D0FD4
.text C:\WINDOWS\system32\wuauclt.exe[3340] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 002D0F83
.text C:\WINDOWS\system32\wuauclt.exe[3340] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 002D0025
.text C:\WINDOWS\system32\wuauclt.exe[3340] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 002D0FEF
.text C:\WINDOWS\system32\wuauclt.exe[3340] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 002D0040
.text C:\WINDOWS\system32\wuauclt.exe[3340] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 002D000A
.text C:\WINDOWS\system32\wuauclt.exe[3340] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 002D0F9E
.text C:\WINDOWS\system32\wuauclt.exe[3340] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [4D, 88]
.text C:\WINDOWS\system32\wuauclt.exe[3340] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 002D0FB9
.text C:\WINDOWS\system32\wuauclt.exe[3340] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 008F0000
.text C:\WINDOWS\system32\wuauclt.exe[3340] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 008F0FE5
.text C:\WINDOWS\system32\wuauclt.exe[3340] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 008F0025
.text C:\WINDOWS\system32\wuauclt.exe[3340] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 008F0036
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00280FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00280F4B
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00280F66
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00280F77
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00280040
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00280025
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00280F30
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00280078
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 0028009D
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00280F04
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00280EF3
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00280F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00280FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 0028005B
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00280FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00280000
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00280F1F
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00370FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00370076
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00370FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00370025
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00370065
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 0037000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00370054
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00370FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380044
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] msvcrt.dll!system 77C293C7 5 Bytes JMP 00380033
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00380FCD
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00380FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00380022
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00380FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A90000
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A9001B
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A9002C
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A9003D
.text C:\Program Files\Internet Explorer\iexplore.exe[4312] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DE0FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00280FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 00280F9E
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00280FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00280093
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00280076
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00280FCA
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00280F66
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00280F8D
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!CreateProcessW 7C802336 1 Byte [E9]
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00280F3A
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 002800D3
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00280F29
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 0028005B
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 0028000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 002800B8
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 00280036
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 00280025
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 00280F55
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00370014
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00370F68
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 00370FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00370FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 00370F83
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00370FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] ADVAPI32.dll!RegCreateKeyW 77DFBA55 2 Bytes JMP 00370FA8
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] ADVAPI32.dll!RegCreateKeyW + 3 77DFBA58 2 Bytes [57, 88]
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 0037002F
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380FB2
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] msvcrt.dll!system 77C293C7 5 Bytes JMP 00380033
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00380022
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00380FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00380FC3
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00380FDE
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A90FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A90FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A90FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[4388] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!CreateFileA 7C801A28 5 Bytes JMP 00280FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!VirtualProtectEx 7C801A61 5 Bytes JMP 0028006E
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!VirtualProtect 7C801AD4 5 Bytes JMP 00280F79
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00280F8A
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!LoadLibraryExA 7C801D53 5 Bytes JMP 00280F9B
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 0028002C
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!GetStartupInfoW 7C801E54 5 Bytes JMP 00280F43
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!GetStartupInfoA 7C801EF2 5 Bytes JMP 00280095
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00280F21
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00280F32
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!GetProcAddress 7C80AE40 5 Bytes JMP 00280F10
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!LoadLibraryW 7C80AEEB 5 Bytes JMP 00280047
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!CreateFileW 7C810800 5 Bytes JMP 00280FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!CreatePipe 7C81D83F 5 Bytes JMP 00280F68
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!CreateNamedPipeW 7C82F0DD 5 Bytes JMP 0028001B
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!CreateNamedPipeA 7C860CDC 5 Bytes JMP 0028000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] kernel32.dll!WinExec 7C86250D 5 Bytes JMP 002800A6
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ADVAPI32.dll!RegOpenKeyExW 77DD6AAF 5 Bytes JMP 00370FC0
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ADVAPI32.dll!RegCreateKeyExW 77DD776C 5 Bytes JMP 00370076
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ADVAPI32.dll!RegOpenKeyExA 77DD7852 5 Bytes JMP 0037001B
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ADVAPI32.dll!RegOpenKeyW 77DD7946 5 Bytes JMP 00370FE5
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ADVAPI32.dll!RegCreateKeyExA 77DDE9F4 5 Bytes JMP 0037005B
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ADVAPI32.dll!RegOpenKeyA 77DDEFC8 5 Bytes JMP 00370000
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ADVAPI32.dll!RegCreateKeyW 77DFBA55 5 Bytes JMP 00370040
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ADVAPI32.dll!RegCreateKeyA 77DFBCF3 5 Bytes JMP 00370FAF
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215435 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E97F5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DCE79 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2ED67C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E418F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E40C1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E412C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E3F92 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E3FF4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E41F2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E4056 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] msvcrt.dll!_wsystem 77C2931E 5 Bytes JMP 00380F7F
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] msvcrt.dll!system 77C293C7 5 Bytes JMP 00380F9A
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] msvcrt.dll!_creat 77C2D40F 5 Bytes JMP 00380000
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] msvcrt.dll!_open 77C2F566 5 Bytes JMP 00380FE3
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] msvcrt.dll!_wcreat 77C2FC9B 5 Bytes JMP 00380FB5
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] msvcrt.dll!_wopen 77C30055 5 Bytes JMP 00380FC6
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2ED6D8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E44F7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] WININET.dll!InternetOpenA 3D95D690 5 Bytes JMP 00A90FEF
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] WININET.dll!InternetOpenW 3D95DB09 5 Bytes JMP 00A9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] WININET.dll!InternetOpenUrlA 3D95F3A4 5 Bytes JMP 00A90025
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] WININET.dll!InternetOpenUrlW 3D9A6DDF 5 Bytes JMP 00A90FD4
.text C:\Program Files\Internet Explorer\iexplore.exe[4860] WS2_32.dll!socket 71AB4211 5 Bytes JMP 00DD0000

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[4312] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[4860] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip NEOFLTR_600_12507.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp NEOFLTR_600_12507.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp NEOFLTR_600_12507.SYS (NetBIOS Redirector/Juniper Networks)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp NEOFLTR_600_12507.SYS (NetBIOS Redirector/Juniper Networks)

Device \FileSystem\Fastfat \Fat A825BD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)
Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:57 PM

Posted 08 December 2009 - 10:02 AM

Run OTL.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O2 - BHO: (no name) - rsion - No CLSID value found.
    O20 - Winlogon\Notify\__c002917: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
    O33 - MountPoints2\{64fe0824-3fda-11dc-abb4-0015c5c4138f}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{64fe0824-3fda-11dc-abb4-0015c5c4138f}\Shell\default\command - "" = a.exe
    
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • You will get a log that shows the results of the fix. Please post it.
  • Then also run and post a new OTL log.

==================

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 steve498

steve498
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 08 December 2009 - 09:12 PM

My computer will not allow me to run OTL.exe. If found a Trojan virus (Artemis!63bee) in the OTL.exe file. I have not done any of the suggestions you made in your last response. Any alternatives?

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:57 PM

Posted 09 December 2009 - 08:55 AM

You need to disable Mcafee in order to run OTL.
It's a false positive.

Once OTL finishes running you can re-enable Mcafee again.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 steve498

steve498
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 09 December 2009 - 12:46 PM

Sam,
Thanks for your time. I really appreciate your willingness to assist me. I ended up contact McAfee this morning and they took control of my computer and fixed the problem. Again, I appreciate your willingness to take time to help me.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:12:57 PM

Posted 09 December 2009 - 01:00 PM

Wow! Mcafee actually fixed the problem? I may have to change my opinion of them if that's true.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users